Deeplinkshttps://www.eff.org/rss/updates.xml/Coders%27-Rights-Project
EFF's Deeplinks Blog: Noteworthy news from around the internetenThe Global Ambitions of Pakistan's New Cyber-Crime Acthttps://www.eff.org/deeplinks/2016/08/global-ambitions-pakistans-new-cyber-crime-act
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Despite near universal condemnation from Pakistan's tech experts; despite the efforts of a <a href="http://digitalrightsfoundation.pk/2016pecbconsultation/">determined coalition</a> of activists, and despite numerous attempts by <a href="http://bolobhi.org/summary-senate-standing-committee-on-its-subcommittee-meetings-on-pecb/">alarmed politicians</a> to patch its many flaws, Pakistan's <a href="http://digitalrightsfoundation.pk/wp-content/uploads/2016/08/PECB2016.pdf">Prevention of Electronic Crimes Bill (PECB)</a> last week passed into law. Its passage ends an eighteen month long battle between Pakistan's government, who saw the bill as a flagship element of their anti-terrorism agenda, and <a href="https://content.bytesforall.pk/node/196">the technologists and civil liberties groups</a> who slammed the bill as an incoherent mix of anti-speech, anti-privacy and anti-Internet provisions.</p>
<p>But the PECB isn't just a tragedy for <a href="http://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=16879&amp;LangID=E">free expression</a> and <a href="https://www.privacyinternational.org/node/881">privacy </a>within Pakistan. Its broad reach has wider consequences for Pakistan nationals abroad, and international criminal law as it applies to the<br />
Net.</p>
<p>The new law creates broad crimes related to "cyber-terrorism" and its "glorification" online. It gives the authorities the opportunity to threaten, target and censor unpopular online speech in ways that go far beyond international standards or Pakistan's own free speech protections for offline media. Personal digital data will be collected and made available to the authorities without a warrant: the products of these data retention programs can then be handed to foreign powers without oversight.</p>
<p>PECB is generous to foreign intelligence agencies. It is far less tolerant of other foreigners, or of Pakistani nationals living abroad. Technologists and online speakers outside Pakistan should pay attention to the first clause of <a href="http://digitalrightsfoundation.pk/wp-content/uploads/2016/08/PECB2016.pdf">the new law</a>:</p>
<blockquote><ol><li>This Act may be called the Prevention of Electronic Crimes Act, 2016.</li>
<li>It extends to the whole of Pakistan.</li>
<li>It shall apply to every citizen of Pakistan <em>wherever he may be</em> and also to every other person for the time being in Pakistan.</li>
<li>It shall also apply to <em>any act committed outside Pakistan</em> by any person if the act constitutes an offence under this Act and affects a person, property, information system or data location in Pakistan.</li>
</ol></blockquote>
<p><a href="https://www.eff.org/issues/cfaa">Poorly-written cyber-crime laws</a> criminalize these everyday and innocent actions by technology users, and the PECB is no exception. It criminalizes the violation of terms of service in some cases, and ramps up the penalties for many actions that would be seen as harmless or positive acts in the non-digital world, including unauthorized copying and access. Security researchers and consumers frequently conduct "unauthorized" acts of access and copying for legitimate and lawful reasons. They do it to exercise of their right of fair use, to exposing wrongdoing in government, or to protect the safety and privacy of the public. Violating website terms of service may be a violation of your agreement with that site, but no nation should turn those violations into felonies.</p>
<p>The PECB asserts an international jurisdiction for these new crimes. It says that if you are a Pakistan national abroad (over 8.5 million people, or 4% of Pakistan's total population) you too can be prosecuted for violating its vague statutes. And if a Pakistan court determines that you have violated one of the prohibitions listed in the PECB in such a way that it affects any Pakistani national, you can find yourself prosecuted in the Pakistan courts, no matter where you live.</p>
<p>Pakistan isn't alone in making such broad claims of jurisdiction. Some countries claim the power to prosecute a narrow set of serious crimes committed against their citizens abroad under <a href="https://www.asil.org/sites/default/files/benchbook/jurisdiction.pdf">international law's</a> "passive personality principle" (the U.S. does so in some of its anti-terrorism laws). Other countries claim jurisdiction over the actions of its own nationals abroad under the "active personality principle" (for instance, in cases of treason.)</p>
<p>But Pakistan's cyber-crime law asserts both principles simultaneously, and explicitly applies them to all cyber-crime, both major and minor, defined in PECB. That includes creating "a sense of insecurity in the [Pakistani] government" (Ch.2, 10), offering services to change a computer's MAC address (Ch.2, 16), or building tools that let you listen to licensed radio spectrum (Ch.2, 13 and 17).</p>
<p>The universal application of such arbitrary laws could have practical consequences for the thousands of overseas Pakistanis working in the IT and infosecurity industries, as well for those in the Pakistan diaspora who wish to publicly critique Pakistani policies. It also continues the global jurisdictional trainwreck that surrounds digital issues, where every country demands that its laws apply and must be enforced across a borderless Internet.</p>
<p>Applying what has been described as <a href="https://www.eff.org/deeplinks/2015/11/deeper-look-inside-pecb-pakistans-terrible-cyber-crime-bill">"the worst piece of cyber-crime legislation in the world"</a> <em>to</em> the world is a bold ambition, and the current Pakistani government's reach may well have exceeded its grasp, both under international law and its own constitutional limits. The broad coalition who fought PECB in the legislature will now <a href="http://arstechnica.co.uk/tech-policy/2016/08/pakistan-cyber-law-faces-legal-challenge/">seek to challenge it in the courts</a>.</p>
<p>But until they win, Pakistan has overlaid yet another layer of vague and incompatible crimes over the Internet, and its own far-flung citizenry.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=The%20Global%20Ambitions%20of%20Pakistan%27s%20New%20Cyber-Crime%20Act&amp;url=https%3A//www.eff.org/deeplinks/2016/08/global-ambitions-pakistans-new-cyber-crime-act&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=The%20Global%20Ambitions%20of%20Pakistan%27s%20New%20Cyber-Crime%20Act&amp;u=https%3A//www.eff.org/deeplinks/2016/08/global-ambitions-pakistans-new-cyber-crime-act" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2016/08/global-ambitions-pakistans-new-cyber-crime-act" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=The%20Global%20Ambitions%20of%20Pakistan%27s%20New%20Cyber-Crime%20Act&amp;url=https%3A//www.eff.org/deeplinks/2016/08/global-ambitions-pakistans-new-cyber-crime-act" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 18 Aug 2016 22:13:12 +0000Danny O&#039;Brien92689 at https://www.eff.orgLegislative AnalysisCoders' Rights ProjectInternationalMandatory Data RetentionEFF Takes on The Eleventh HOPEhttps://www.eff.org/deeplinks/2016/07/eff-takes-eleventh-hope
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="https://www.eff.org/files/2016/06/01/the_11th_hope_icon_128x128.png" alt="" title="EFF Takes New York" align="right" />EFF staffers will spread the online freedom message at 2600 Magazine's biennial Hackers on Planet Earth (HOPE) conference from July 22 to July 24. The Eleventh HOPE will take place at the historic Hotel Pennsylvania in New York and host numerous presentations on such diverse topics as automobile software hacking, pervasive surveillance, the blockchain, and fostering community.</p>
<p>Representatives from multiple teams at EFF will lead a flurry of activities over the long weekend in New York. HOPE attendees will have the opportunity to hear our talks about online freedom issues, participate in EFF's "capture the flag" hacking contest all weekend, and speak directly to EFF staffers at our vendor hall booth. Additionally, all New York area EFF members are invited to a Speakeasy meetup on Friday evening. Read on for more details.</p>
<h2>Learn About Online Rights</h2>
<p>We're proud to present the following talks as part of the program for The Eleventh HOPE. The full schedule is available <a href="https://xi.hope.net/schedule.html">here</a>.</p>
<p><a href="https://xi.hope.net/schedule.html#-ask-the-eff-the-year-in-digital-civil-liberties-"><strong>Ask the EFF: The Year in Digital Civil Liberties</strong></a><br />
Friday, July 22, 2016 at 3:00 pm, Location: Lamarr (18<sup>th</sup> Floor)</p>
<p><a href="https://xi.hope.net/schedule.html#-privacy-badger-and-panopticlick-vs-the-trackers-round-1-"><strong>Privacy Badger and Panopticlick vs. the Trackers, Round 1</strong></a><br />
Friday, July 22, 2016 at 6:00 pm, Location: Lamarr (18<sup>th</sup> Floor)</p>
<p><strong><a href="https://hope.net/workshops.html">Workshop: Automating Certificate Issuance with the ACME protocol and Let's Encrypt</a></strong><br /><em> Listed as "The Next Billion Certificates: Let’s Encrypt and Scaling the Web PKI"</em><br />
Saturday, July 23, 2016 at 12:00 pm, Location: Paris<br />
Let’s Encrypt is a free and automated certificate authority. If you are developing a client to integrate with Let’s Encrypt or trying to deploy Let’s Encrypt certificates at scale, come to this workshop to discuss best practices and work through any issues. Optional: bring your laptop.</p>
<p><a href="https://xi.hope.net/schedule.html#-keynote-address-cory-doctorow-"><strong>Keynote, Cory Doctorow</strong></a><br />
Saturday, July 23, 2016 at 1:00 pm, Location: Lamarr, Noether, Friedman</p>
<p><a href="https://xi.hope.net/schedule.html#-the-next-billion-certificates-let-s-encrypt-and-scaling-the-web-pki-"><strong>The Next Billion Certificates: Let’s Encrypt and Scaling the Web PKI</strong></a><br />
Sunday, July 24, 2016 at 10:00 am, Location: Lamarr (18<sup>th</sup> Floor)</p>
<h2>Legal Inquiries</h2>
<p>EFF staff attorneys will be present to help support the community. If you have legal concerns regarding an upcoming talk, or sensitive infosec research that you are conducting for HOPE or at any time, please email <a href="mailto:info@eff.org">info@eff.org</a> and we will do our best to get you the help that you need.</p>
<h2>Meat Space Meet Up</h2>
<p>Our semi-secret series of EFF Speakeasy member meetups returns to take over a Manhattan bar. These events are free, casual meetups that give you a chance to mingle with local members and meet the people behind the world's leading digital civil liberties organization. It is also <em>our</em> chance to thank you, the EFF members who make this work possible. Current EFF members receiving email in the New York area received an email invitation with location details on July 1.</p>
<p>For more information contact <a href="mailto:membership@eff.org">membership@eff.org</a>. Not a member of EFF yet? Help defend our future when you <a href="https://supporters.eff.org/donate/speakeasy">join today</a>!</p>
<h2>Shall We Play A Game?</h2>
<p><a href="https://www.eff.org/event/eff-capture-flag-eleventh-hope">EFF's "Capture the Flag" hacking contest</a> launches on Friday, July 22 at noon and runs through Sunday at noon. All attendees at The Eleventh HOPE are encouraged to participate! This will be a Jeopardy Style CTF with a number of challenges and puzzles to solve for points. The challenges will include web hacking, reverse engineering, cryptography, forensics, and more. Participants will need access to a Linux based OS for certain challenges. All skill levels are welcome! We have a variety of challenges ranging from first timer-friendly to fiendishly hard.</p>
<p>The first players on the scoreboard are eligible for a <a href="https://www.yubico.com/products/yubikey-hardware/yubikey4/"> free YubiKey 4</a> courtesy of Yubico! The top CTF winners will receive an array of special EFF gear, books from <a href="https://www.nostarch.com/">No Starch Press</a>, and infinite bragging rights.</p>
<p>Contest details at <a href="https://www.eff.org/event/eff-capture-flag-eleventh-hope">eff.org/HOPECTF</a></p>
<p></p><center>SPECIAL THANKS TO EFF'S CAPTURE THE FLAG SPONSORS:
<p><a href="https://www.malwarebytes.com"><img src="https://www.eff.org/files/2016/05/31/malwarebytes.jpg" alt="" height="47" width="203" /></a> <a href="http://www.gandi.net/"><img src="https://www.eff.org/files/gandi.jpg" alt="" height="44" width="151" /></a></p>
<p></p></center>
<p>Cheers to HOPE and the hacker community for standing alongside EFF to preserve the freedom to explore, tinker, and create.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20Takes%20on%20The%20Eleventh%20HOPE&amp;url=https%3A//www.eff.org/deeplinks/2016/07/eff-takes-eleventh-hope&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20Takes%20on%20The%20Eleventh%20HOPE&amp;u=https%3A//www.eff.org/deeplinks/2016/07/eff-takes-eleventh-hope" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2016/07/eff-takes-eleventh-hope" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20Takes%20on%20The%20Eleventh%20HOPE&amp;url=https%3A//www.eff.org/deeplinks/2016/07/eff-takes-eleventh-hope" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 08 Jul 2016 18:00:47 +0000Aaron Jue92281 at https://www.eff.orgAnnouncementCoders' Rights ProjectComputer Crime Bill Stalls in Rhode Islandhttps://www.eff.org/deeplinks/2016/06/computer-crime-bill-stalls-rhode-island
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal">Rhode Island legislators recently decided not to advance a <a href="http://webserver.rilin.state.ri.us/billtext16/housetext16/h7406a.pdf">bill</a> that would have made that state’s bad “anti-hacking” law even worse. This is good news. But the struggle continues against other vague and overbroad computer crime laws.</p>
<p class="MsoNormal">As EFF previously <a href="https://www.eff.org/deeplinks/2016/05/will-rhode-island-double-down-cfaas-faults">explained</a>, this Rhode Island bill was a threat to many different kinds of innocent, common, and beneficial uses of computers. It would have further empowered prosecutors to bring charges against computer users who violate a corporate terms-of-service agreement to access confidential information, as well as whistle blowers and independent computer security researchers. It would have imposed a minimum of five years of incarceration for a first offense, even where there was no intent to obtain financial gain. It allowed for the stacking of charges, enabling prosecutors to seek even lengthier prison terms. And there was no showing that existing laws are insufficient to protect confidential computer data.</p>
<p class="MsoNormal">That’s why we sent legislators two letters opposing this bill (<a href="https://www.eff.org/files/2016/05/25/2016-05-25_group_letter_opposing_ri_h7406-s2584_-_memo.pdf">here</a> and <a href="https://www.eff.org/files/2016/05/25/2016-05-25_group_letter_opposing_ri_h7406-s2584_-_introduction.pdf">here</a>), along with our allies Access Now, the Center for Democracy and Technology, the Bill of Rights Defense Committee and the Defending Dissent Foundation, and the Open Technology Institute. The ACLU of Rhode Island also advocated <a href="http://riaclu.org/legislation/bill/unauthorized-computer-access-h-7406-s-2584/">against</a> this bill.</p>
<p class="MsoNormal">EFF fights against bills like this across the country. For example, earlier this month we joined a coalition <a href="https://www.eff.org/deeplinks/2016/06/eff-joins-coalition-opposing-dangerous-cfaa-bill">effort</a> to defeat a bill that would expand the federal Computer Fraud and Abuse Act (<a href="https://www.law.cornell.edu/uscode/text/18/1030">CFAA</a>). <span> </span>We also try to persuade judges to narrowly interpret existing computer crime laws, as we did last month in a friend-of-the-court <a href="https://www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law">brief</a> in support of Chelsea Manning.</p>
<p class="MsoNormal">Perhaps most importantly, EFF works to roll back the many overbroad computer crime laws already on the books. For example, we support <a href="https://www.eff.org/deeplinks/2015/04/aarons-law-reintroduced-cfaa-didnt-fix-itself">Aaron’s law</a>, named for Internet hero Aaron Swartz, which would begin to fix the federal CFAA.</p>
<p class="MsoNormal">Much work remains. The Rhode Island bill may be back next year. But for today, we celebrate the successful effort of EFF and its allies to block the Rhode Island bill</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Computer%20Crime%20Bill%20Stalls%20in%20Rhode%20Island&amp;url=https%3A//www.eff.org/deeplinks/2016/06/computer-crime-bill-stalls-rhode-island&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Computer%20Crime%20Bill%20Stalls%20in%20Rhode%20Island&amp;u=https%3A//www.eff.org/deeplinks/2016/06/computer-crime-bill-stalls-rhode-island" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2016/06/computer-crime-bill-stalls-rhode-island" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Computer%20Crime%20Bill%20Stalls%20in%20Rhode%20Island&amp;url=https%3A//www.eff.org/deeplinks/2016/06/computer-crime-bill-stalls-rhode-island" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 23 Jun 2016 07:12:14 +0000Adam Schwartz92162 at https://www.eff.orgLegislative AnalysisTerms Of (Ab)UseCoders' Rights ProjectComputer Fraud And Abuse Act ReformEFF's Badge Hack Pageant Returns to DEF CONhttps://www.eff.org/deeplinks/2016/06/effs-badge-hack-pageant-returns-def-con
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="https://www.eff.org/files/2016/06/02/glow_0.jpg" alt="" title="Badge demonstration photo courtesy of @cannibal" align="right" height="177" width="272" />We are proud to announce the return of EFF's Badge Hack Pageant at the 24th annual DEF CON hacking conference in Las Vegas. EFF invites all DEF CON attendees to stretch their creative skills by reinventing past conference badges as practical, artful, and over-the-top objects of their choosing. The numerous 2015 pageant entries included <a href="https://twitter.com/EFF/status/630235135586111488">a crocheted badge cozy</a>, <a href="https://twitter.com/EFF/status/630225072179949568">a quadcopter</a>, <a href="https://twitter.com/EFF/status/630240638940786689">counterfeit badges</a>, a human baby, a breathalyzer, a dazzling array of LED shows, and more than one hand-made record player that would make MacGyver weep. We encourage you to join us and contribute something whether you are a crafter, a beginner, or a hardware hacking wizard. It's a great summer project so get started now and enjoy a great show!</p>
<p>Our esteemed judges Zoz, Joe "Kingpin" Grand, and 1o57 will decide the fate of contestants on <strong>Saturday, August 6 at noon on the main Contests, Villages, and Events stage.</strong></p>
<p>The rules are simple...</p>
<p>1. Enter in one of three categories:<br />
• DEF CON DIGITAL: Circuit board-based badge from DEF CON<br />
• DEF CON ANALOG: Non-digital badge from DEF CON<br />
• WILD CARD: Badge from any other hacker con</p>
<p>2. Get scored at DC24 by our panel of celebrity guest judges based upon these criteria:<br />
• Originality<br />
• Form<br />
• Utility<br />
• ¡X-FACTOR! (overall execution)</p>
<p>3. Identify the badge's origin and wear it around your neck during judging.</p>
<p>4. PROFIT!11!!1one!111 (in the form of bragging rights and gear, at least). EFF will name a winner in each category. Winners will receive special prizes and abundant glory.</p>
<p>There is no limit (except Johnny Law) to what you may add to enhance or embellish your entry. Get started on your entry today and <a href="mailto:membership@eff.org?subject=Badge%20Hack%20Pageant ">please let us know</a> which category you plan to enter. Be sure to sign up officially for the competition at EFF’s Contest booth in Las Vegas. Contestants must be present for the judging session on Saturday, August 6 at noon at the Bally's Las Vegas event center to win. EFF celebrates your ability to pwn what you own.</p>
<p><em>EFF is a member-funded nonprofit organization that has fought to protect digital privacy, free expression, and innovation for over 25 years. Our court work, activism, and tech projects aim to support individual rights worldwide. Consider donating to EFF at DEF CON or <a href="https://www.eff.org/join">becoming an annual member today</a>.</em></p>
<p></p>
<p></p><center><img src="/files/2016/06/02/pageantwinnersdc23.jpg" alt="DC23 contest judges and winners" title=" Zoz, 1o57, Mike, Loather, Mikey, Joe Grand, and Rainbow Unicorns Byte" height="269" width="384" /></center><center>Cheers to our DC23 contest judges and winners!</center><center>Left to right: Zoz, 1o57, <a href="https://twitter.com/EFF/status/630240638940786689">Mikey</a>, <a href="https://twitter.com/EFF/status/630225072179949568">Loather</a>, <a href="https://twitter.com/EFF/status/630240638940786689">Mike</a>, Joe Grand, and <a href="https://twitter.com/EFF/status/630235135586111488">Rainbow Unicorns Byte</a></center>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%27s%20Badge%20Hack%20Pageant%20Returns%20to%20DEF%20CON&amp;url=https%3A//www.eff.org/deeplinks/2016/06/effs-badge-hack-pageant-returns-def-con&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%27s%20Badge%20Hack%20Pageant%20Returns%20to%20DEF%20CON&amp;u=https%3A//www.eff.org/deeplinks/2016/06/effs-badge-hack-pageant-returns-def-con" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2016/06/effs-badge-hack-pageant-returns-def-con" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%27s%20Badge%20Hack%20Pageant%20Returns%20to%20DEF%20CON&amp;url=https%3A//www.eff.org/deeplinks/2016/06/effs-badge-hack-pageant-returns-def-con" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 08 Jun 2016 18:54:40 +0000Aaron Jue91928 at https://www.eff.orgAnnouncementInnovationCoders' Rights ProjectEFF Asks Court to Reverse Chelsea Manning’s Conviction for Violating Federal Anti-Hacking Lawhttps://www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law
<div class="field field-name-field-pr-subhead field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Wikileaks Prosecution Included Unfair Charge Under CFAA</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal">Fort Belvoir, Virginia—The Electronic Frontier Foundation (EFF) <a target="_blank" href="https://www.eff.org/document/us-v-chelsea-manning-eff-amicus-brief">asked</a> a U.S. Army Court of Criminal Appeals Wednesday to overturn Chelsea Manning’s conviction for violating the Computer Fraud and Abuse Act (CFAA), arguing that the law is intended to punish people for breaking into computers systems—something Manning didn’t do.<span> </span></p>
<p class="MsoNormal"><span>Manning is serving a 35-year sentence for </span><a href="https://www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy"><span>her role</span></a><span> in the release of approximately 700,000 military and diplomatic records to Wikileaks. She was convicted of 19 counts in all, including one under the <a target="_blank" href="https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29">CFAA</a>. Her CFAA conviction stems from using unauthorized software to access a State Department database, which was prohibited by the database’s acceptable use policy.</span></p>
<p class="MsoNormal"><span>The <a target="_blank" href="https://www.eff.org/issues/cfaa">CFAA</a> makes it illegal to intentionally access a computer connected to the Internet without authorization, but it doesn’t specify what “without authorization” means. Although the CFAA is aimed at computer break-ins, data theft, and destruction of computer systems, overzealous prosecutors have taken advantage of the law’s vague language to bring criminal charges that go beyond Congress’s anti-“hacking” purpose. </span></p>
<p class="MsoNormal"><span>"Congress intended to criminalize the act of accessing a computer that you aren’t authorized to access, such as breaking into a corporate computer to steal user data or trade secrets or to spread viruses. The law should not be used to turn a violation of an employer’s computer use restrictions into a federal crime. That’s what happened here," said EFF Legal Fellow Jamie Williams. </span></p>
<p class="MsoNormal"><span>In an amicus <a target="_blank" href="https://www.eff.org/document/us-v-chelsea-manning-eff-amicus-brief">brief</a> filed Wednesday, EFF told the U.S. Army Court of Criminal Appeals that violating a written policy, which restricted Manning from using unauthorized software to access a State Department database, is not a crime under the CFAA. Because most employers impose one-sided computer use policies on their employees, such an interpretation would potentially turn millions of Americans into criminals on the basis of innocuous activities, like browsing Facebook or viewing online sports scores at work in violation of company policy.</span></p>
<p class="MsoNormal"><span>"Three federal circuit courts have recognized that violating computer use policies isn’t a crime under the CFAA, and we’re urging the Army court to follow suit,” said EFF Staff Attorney Andrew Crocker. “We have also urged Congress to adopt </span><a href="https://www.eff.org/deeplinks/2015/04/aarons-law-reintroduced-cfaa-didnt-fix-itself"><span>Aaron’s Law</span></a><span>, named after late programmer and activist Aaron Swartz, who faced CFAA charges. The law which would ensure that people won't face criminal liability for violating terms of service agreements or other solely contractual agreements.”</span></p>
<p class="MsoNormal">The Center for Democracy &amp; Technology and the National Association of Criminal Defense Lawyers joined EFF in filing the brief.</p>
<p><span></span><span>For our amicus brief:<br /></span><a target="_blank" href="https://www.eff.org/document/us-v-chelsea-manning-eff-amicus-brief"><span>https://.eff.org/document/us-v-chelsea-manning-eff-amicus-brief</span></a></p>
<p><span><em>Correction: an earlier version of this press release misstated the number of documents leaked. It's approximately 700,000 records.</em><br /></span></p>
</div></div></div><div class="field field-name-field-contact field-type-node-reference field-label-above"><div class="field-label">Contact:&nbsp;</div><div class="field-items"><div class="field-item even"><div class="ds-1col node node-profile view-mode-node_embed clearfix">
<div class="">
<div class="field field-name-field-profile-first-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Jamie Lee</div></div></div><div class="field field-name-field-profile-last-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Williams</div></div></div><div class="field field-name-field-profile-title field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Staff Attorney</div></div></div><div class="field field-name-field-profile-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item even"><a href="mailto:jamie@eff.org">jamie@eff.org</a></div></div></div> </div>
</div>
</div><div class="field-item odd"><div class="ds-1col node node-profile view-mode-node_embed clearfix">
<div class="">
<div class="field field-name-field-profile-first-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Andrew</div></div></div><div class="field field-name-field-profile-last-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Crocker</div></div></div><div class="field field-name-field-profile-title field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Staff Attorney</div></div></div><div class="field field-name-field-profile-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item even"><a href="mailto:andrew@eff.org">andrew@eff.org</a></div></div></div> </div>
</div>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20Asks%20Court%20to%20Reverse%20Chelsea%20Manning%E2%80%99s%20Conviction%20for%20Violating%20Federal%20Anti-Hacking%20Law&amp;url=https%3A//www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20Asks%20Court%20to%20Reverse%20Chelsea%20Manning%E2%80%99s%20Conviction%20for%20Violating%20Federal%20Anti-Hacking%20Law&amp;u=https%3A//www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20Asks%20Court%20to%20Reverse%20Chelsea%20Manning%E2%80%99s%20Conviction%20for%20Violating%20Federal%20Anti-Hacking%20Law&amp;url=https%3A//www.eff.org/press/releases/eff-asks-court-reverse-chelsea-mannings-conviction-violating-federal-anti-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 19 May 2016 17:17:48 +0000Karen Gullo91716 at https://www.eff.orgWednesday Hearing in Facebook Case Against Power Ventureshttps://www.eff.org/press/releases/wednesday-hearing-facebook-lawsuit-against-power-ventures
<div class="field field-name-field-pr-subhead field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">EFF Battles Facebook’s Claims That It’s a Crime to Bypass an IP Block</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal">San Francisco—The Electronic Frontier Foundation (EFF) will urge a federal appeals court Wednesday to reject Facebook’s claims that it’s a crime to workaround an IP address block—an interpretation of the law that could criminalize routine online behavior. EFF Legal Fellow Jamie Williams will participate in oral argument in the case, <a target="_blank" href="https://www.eff.org/cases/facebook-v-power-ventures"><i>Facebook v. Power Ventures</i></a>, set for 9:30 am on Dec. 9 before the United States Court of Appeals for the Ninth Circuit in San Francisco, California.</p>
<p class="MsoNormal">Power Ventures made a web-based tool that allowed users to log into all of their social networking accounts in one place and aggregate messages, friend lists, and other data. Facebook sued Power, claiming it violated a federal anti-hacking statute, the Computer Fraud and Abuse Act (<a target="_blank" href="https://www.law.cornell.edu/uscode/text/18/1030">CFAA</a>), when it provided Facebook users a way to access their data through Power after Facebook blocked a specific IP address the company was using to connect to Facebook data. A district court <a target="_blank" href="https://www.eff.org/document/order-granting-facebooks-motion-summary-judgment-and-denying-power-ventures-motion-summary">sided</a> with Facebook, finding that designing a system to work around IP address blocks could be a crime under the CFAA.</p>
<p class="MsoNormal">The CFAA targets unauthorized acts of breaking into computer systems to steal data and cause other harm. In Wednesday’s hearing, Williams will argue that the Ninth Circuit has already <a target="_blank" href="https://www.eff.org/cases/u-s-v-nosal">ruled</a> that the CFAA must be interpreted narrowly to avoid transforming what was intended to be an anti-hacking statute into a law that could sweep up innocuous conduct. Criminalizing a routine process like switching IP addresses stifles innovation and harms consumers—and it’s not what Congress had in mind.</p>
<p class="MsoNormal">What:<br />
Facebook v. Power Ventures and Steven Vachani</p>
<p class="MsoNormal">Who:<br />
EFF Frank Stanton Legal Fellow Jamie Williams</p>
<p class="MsoNormal">When:<br />
Wednesday, Dec. 9<br />
9:30 am</p>
<p class="MsoNormal">Where:<br />
Ninth Circuit Court of Appeals-James R. Browning Courthouse<br />
Courtroom 2, 3<sup>rd</sup> Fl, Room 330<br />
95 7<sup>th</sup> St.<br />
San Francisco CA 94103</p>
</div></div></div><div class="field field-name-field-contact field-type-node-reference field-label-above"><div class="field-label">Contact:&nbsp;</div><div class="field-items"><div class="field-item even"><div class="ds-1col node node-profile view-mode-node_embed clearfix">
<div class="">
<div class="field field-name-field-profile-first-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Jamie Lee</div></div></div><div class="field field-name-field-profile-last-name field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Williams</div></div></div><div class="field field-name-field-profile-title field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Staff Attorney</div></div></div><div class="field field-name-field-profile-email field-type-email field-label-hidden"><div class="field-items"><div class="field-item even"><a href="mailto:jamie@eff.org">jamie@eff.org</a></div></div></div> </div>
</div>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Wednesday%20Hearing%20in%20Facebook%20Case%20Against%20Power%20Ventures&amp;url=https%3A//www.eff.org/press/releases/wednesday-hearing-facebook-lawsuit-against-power-ventures&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Wednesday%20Hearing%20in%20Facebook%20Case%20Against%20Power%20Ventures&amp;u=https%3A//www.eff.org/press/releases/wednesday-hearing-facebook-lawsuit-against-power-ventures" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/press/releases/wednesday-hearing-facebook-lawsuit-against-power-ventures" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Wednesday%20Hearing%20in%20Facebook%20Case%20Against%20Power%20Ventures&amp;url=https%3A//www.eff.org/press/releases/wednesday-hearing-facebook-lawsuit-against-power-ventures" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 07 Dec 2015 20:45:38 +0000Karen Gullo89241 at https://www.eff.orgFind a Security Vulnerability, Get a Reward: Announcing EFF's Security Vulnerability Disclosure Programhttps://www.eff.org/deeplinks/2015/12/find-security-vulnerability-get-reward-announcing-effs-security-vulnerability
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>At EFF we put security and privacy first. This means working hard at keeping our members and site visitors safe, as well as the people who use the software we develop. We also dedicate staff time to advising security researchers, maintaining resources like our <a href="https://www.eff.org/issues/coders/vulnerability-reporting-faq">Coders' Rights Project</a>, and <a href="https://www.eff.org/deeplinks/2010/12/knowledge-power-facebooks-exceptional-approach">helping groups like Facebook improve</a> their bug reporting policies.</p>
<p>Today we're following our own advice by announcing EFF's own <a href="https://www.eff.org/security">Security Vulnerability Disclosure Program</a>. The Disclosure Program is a set of guidelines on how to report bugs in software EFF develops, like <a href="https://github.com/EFForg/https-everywhere">HTTPS Everywhere</a> or <a href="https://github.com/letsencrypt/lets-encrypt-preview">Let's Encrypt</a>, as well as the software we use to run our sites and services. The scope of the bugs we're looking for is detailed on the <a href="https://www.eff.org/security">Security Vulnerability Disclosure Program page</a>, but we're not just looking for bugs in our code. Security vulnerabilities created by the specific configuration of software on EFF servers are also within the scope of this program.</p>
<p>One difference between our program and others is that as a lean, member-driven nonprofit we don't have the resources to match the cash rewards others can provide for zero days. Instead, what we can offer is public acknowledgement on our <a href="https://www.eff.org/security/hall-of-fame">EFF Security Hall of Fame page</a> and other non-cash rewards like <a href="https://supporters.eff.org/shop">EFF gear</a> or <a href="https://supporters.eff.org/sites/all/modules/custom/eff_donate_pages/html/membership_details.html">complimentary EFF memberships</a>. But reporting bugs does more than just help EFF and earn you cool swag. Coordinated disclosure helps us keep the NSA from <a href="https://www.eff.org/press/releases/eff-sues-nsa-director-national-intelligence-zero-day-disclosure-process">exploiting zero days like Heartbleed</a>, and as an organization committed to using and developing <a href="http://freedomdefined.org">free software</a> whenever possible, letting us know about bugs will help us work with upstream software developers to get a fix for impacted users.</p>
<p>Security research is a prerequisite for safe computing. We're lucky to have such a talented base of supporters and members who can donate their time to help us improve online security, so we invite you to help us by inspecting, analyzing, and improving the code we write. We especially want to encourage security researchers to turn their attention towards the <a href="https://github.com/letsencrypt/letsencrypt/tree/master">beta release of the Let's Encrypt Client</a> (the master branch of the linked repo). As an added incentive, we're currently brainstorming even neater rewards which we may only give out for vulnerabilities in that software.</p>
<p>In order to get started, visit our <a href="https://www.eff.org/security">Security Vulnerability Disclosure Program page</a> to view the full reporting guidelines. And don't forget to download a copy of the <a href="https://www.eff.org/files/vulnerabilities_at_eff.txt">GPG key to use when submitting your vulnerabilities</a>. Happy hunting!</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Find%20a%20Security%20Vulnerability%2C%20Get%20a%20Reward%3A%20Announcing%20EFF%27s%20Security%20Vulnerability%20Disclosure%20Program&amp;url=https%3A//www.eff.org/deeplinks/2015/12/find-security-vulnerability-get-reward-announcing-effs-security-vulnerability&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Find%20a%20Security%20Vulnerability%2C%20Get%20a%20Reward%3A%20Announcing%20EFF%27s%20Security%20Vulnerability%20Disclosure%20Program&amp;u=https%3A//www.eff.org/deeplinks/2015/12/find-security-vulnerability-get-reward-announcing-effs-security-vulnerability" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/12/find-security-vulnerability-get-reward-announcing-effs-security-vulnerability" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Find%20a%20Security%20Vulnerability%2C%20Get%20a%20Reward%3A%20Announcing%20EFF%27s%20Security%20Vulnerability%20Disclosure%20Program&amp;url=https%3A//www.eff.org/deeplinks/2015/12/find-security-vulnerability-get-reward-announcing-effs-security-vulnerability" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 03 Dec 2015 21:25:37 +0000William Theaker89199 at https://www.eff.orgAnnouncementCoders' Rights ProjectEFF Applauds Apple’s Refusal of Government Demand for iMessage Backdoorhttps://www.eff.org/deeplinks/2015/09/eff-applauds-apples-refusal-government-demand-imessage-backdoor
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p dir="ltr">Earlier this summer, when FBI Director James Comey made his case for backdooring strong encryption, he told us that he wanted to hash out the policy considerations surrounding encryption, law enforcement, and security in public: “<a href="https://www.lawfareblog.com/encryption-public-safety-and-going-dark">Democracies resolve such tensions through robust debate.</a>” This week, we learned that Comey apparently actually meant that he wanted the debate resolved in secret, before a judge known only to the government, by way of a sealed wiretap order.</p>
<p>In a <a href="http://www.nytimes.com/2015/09/08/us/politics/apple-and-other-tech-companies-tangle-with-us-over-access-to-data.html">brief article in Monday’s New York Times</a>, the paper confirmed a rumor that has been circulating since the beginning of this summer. Apple has been involved in a dispute with the U.S. Department of Justice regarding iMessage encryption, with the DOJ demanding that Apple give them plaintext copies of iMessages in real time, pursuant to a wiretap order. Because iMessage uses <a href="https://ssd.eff.org/en/glossary/end-end-encryption">end-to-end encryption</a>, where only the users hold the keys, Apple is unable to comply with such an order unless it compromises its system and implements a backdoor for the U.S. government. This would compromise the security of every iMessage user, something that Apple has steadfastly refused to do.</p>
<p>According to the Times report, the DOJ obtained a sealed order from an unknown federal district court (not the Foreign Intelligence Surveillance Court) ordering Apple to turn over a suspect’s iMessages. After Apple informed the government that it couldn’t comply with the order, the government backed down rather than seek sanctions or an order holding Apple in contempt.</p>
<p>There’s still much we don’t know about this showdown, but it is far from the robust public debate Director Comey promised. It’s no answer to point to the secret or urgent nature of the case that led the DOJ to seek its wiretap order. Even in the context of ultra-sensitive drug or national security investigations, courts can partially unseal dockets in order to inform the public and allow the participation of interested parties (like EFF!). It’s a technique we’ve seen in important cases concerning <a href="https://www.eff.org/deeplinks/2015/06/california-new-york-cell-phone-location-records-are-private">cell phone location tracking</a> and even <a href="https://www.eff.org/deeplinks/2015/07/same-old-fisa-court-thoughts-opinion-extending-mass-surveillance-6-more-months">NSA surveillance</a>.</p>
<p>The first “Crypto Wars” of the 90s were largely fought in public over specific technical and policy proposals, such as the <a href="https://www.eff.org/deeplinks/2015/04/clipper-chips-birthday-looking-back-22-years-key-escrow-failures">Clipper Chip</a>. These proposals couldn’t bear scrutiny, and <a href="https://www.eff.org/deeplinks/2015/07/fbis-revival-crypto-wars-part-ii-continues-two-hearings-congress">the pro-backdoor crowd lost</a>. Today, rather than accepting that outcome, the government has instead relied on <a href="https://www.eff.org/deeplinks/2015/08/it-again-law-enforcement-officials-anti-encryption-new-york-times-op-ed">scary anecdotes</a> and vague calls for the companies themselves to engineer a “golden key” that allows “exceptional access” to encrypted communications—a backdoor, in other words. This allows the government to simply raise the specter of widespread encryption as an overall threat to society without subjecting their demands to the very public debate that Director Comey claimed to welcome. Their endgame is worrying: either a secret court order forcing companies to reengineer their systems and never speak about it, or possibly worse, a backroom deal with the government that achieves the same thing.</p>
<p>In addition to the <a href="https://www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one">questionable legality of any "exceptional access" requirement</a>, experts in the field of cryptography have raised major concerns as to how such a system would implemented without putting the public at significant risk. Without any solid technical requirements proposed by the DOJ, at this point we can only guess as to how exceptional access might be granted to law enforcement.</p>
<p>Mandated key escrow seems like one real possibility. Key escrow is a system by which a message is encrypted not only to a key belonging to the intended recipient (as with classic public-key cryptography), but also a key held by law enforcement (or potentially one key held by law enforcement and one by the company, with both necessary for decryption—known as a “split key” system). But as a group of computer security experts <a href="http://www.crypto.com/papers/Keys_Under_Doormats_FINAL.pdf">noted</a>, such a schema would expose the public to a greater risk in two ways. Firstly, mandating the inclusion of escrow capabilities increases the complexity of software, and more lines of code means more opportunities for the inclusion of security vulnerabilities. Secondly, as the expert report continues, the buildout of a centralized data collection hub makes it a salient target for hackers:</p>
<blockquote><p>Building in exceptional access would substantially increase system complexity. Security researchers inside and outside government agree that complexity is the enemy of security - every new feature can interact with others to create vulnerabilities.</p></blockquote>
<p>We’ve seen this in the past with the buildout of wiretapping capabilities: in an notorious case in 2004 and 2005, a hundred top officials in the Greek government were <a href="https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%9305">illegally surveilled</a> for a period of ten months by parties unknown when Greece implemented a lawful access program that was subsequently compromised. And the U.S. is no exception. As described in the expert report, an audit conducted by the NSA discovered that all telephone switches intended to comply with government demands for wiretapping were found to have security flaws.</p>
<p>The deployment of Clipper chip hardware to intercept communications went wrong within well-funded, centralized, and highly organized telecommunications infrastructure. We have every reason to believe that the problem will only get worse when the onus is put on the plethora of end-to-end encryption providers (often developed by startups, small teams, or independent developers) to build mandatory backdoors in their software.</p>
<p>Finally, government demands to access users private communications raises major policy and regulatory questions. Can any government force a U.S. corporation to fork over user data stored outside the U.S.? Will an app developer in the United States with users in Russia be forced to build in a Russian backdoor? Are companies operating in multiple countries forced to build in separate decryption keys for each of the countries they operate in?</p>
<p>These questions should be discussed in a public forum with public participation before any such system is built out, and not as a result of secret court decisions and under a gag order. We applaud Apple’s resolve in standing firm, and we strongly urge the government to bring this debate out in the open where it belongs.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20Applauds%20Apple%E2%80%99s%20Refusal%20of%20Government%20Demand%20for%20iMessage%20Backdoor&amp;url=https%3A//www.eff.org/deeplinks/2015/09/eff-applauds-apples-refusal-government-demand-imessage-backdoor&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20Applauds%20Apple%E2%80%99s%20Refusal%20of%20Government%20Demand%20for%20iMessage%20Backdoor&amp;u=https%3A//www.eff.org/deeplinks/2015/09/eff-applauds-apples-refusal-government-demand-imessage-backdoor" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/09/eff-applauds-apples-refusal-government-demand-imessage-backdoor" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20Applauds%20Apple%E2%80%99s%20Refusal%20of%20Government%20Demand%20for%20iMessage%20Backdoor&amp;url=https%3A//www.eff.org/deeplinks/2015/09/eff-applauds-apples-refusal-government-demand-imessage-backdoor" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 08 Sep 2015 21:44:49 +0000Andrew Crocker and Bill Budington and Nate Cardozo87697 at https://www.eff.orgNews UpdateCoders' Rights ProjectPrivacySecurityTransparencyCheers to Digital Freedom in Las Vegashttps://www.eff.org/deeplinks/2015/08/cheers-digital-freedom-las-vegas
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="https://www.eff.org/files/filenode/dc19thanks.png" /></p>
<p>As we say goodbye to another summer of computer security conferences, we would like to take a moment to extend our thanks to the countless people who helped bolster civil liberties defense this year in Las Vegas. Organizers and attendees at Security BSides Las Vegas, Black Hat USA, DEF CON, and the kid-focused r00tz Asylum are all part of the ever-growing movement to defend digital freedom. As "hacking" loses some of its stigma, it serves us well to remember that at its core, hacking is about curiosity, problem-solving, and innovation. These key principles help ensure that technology can work in our favor and remains in our control.</p>
<p><a href="https://www.eff.org/files/2015/09/04/babyhawk_0.jpg"><img src="/files/2015/09/04/babyhawksm.jpg" alt="Baby Hacker Faux-hawk" title="A faux-hawked n00b sneers at injustice as EFF's Parker Higgins looks on." class="align-left" height="207" width="252" /></a>EFF stood up for the users at a record number of talks and events this year. Presentations from our activists, legal team, and technologists delved into topics including encryption export controls, the U.S. government's mass surveillance, taking down DRM, and our game-changing SSL certificate authority <a href="https://letsencrypt.org/">Let's Encrypt</a>. Through the <a href="https://www.eff.org/coders">Coders' Rights Project</a>, EFF attorneys counseled numerous security researchers<a class="see-footnote" id="footnoteref1_u6l9h5g" title="If you have legal concerns regarding an upcoming talk or sensitive information security research that you are conducting at any time, please email info@eff.org. Outline the issues and we will do our best to connect you with the resources you need." href="#footnote1_u6l9h5g">1</a> through the murky waters of tech law in preparation for this year's events. EFF participated officially in many on-site events, from the Crypto &amp; Privacy Village to Mohawkcon's haircuts for charity. We also held our very first—and wildly successful—<a href="https://www.eff.org/DC23Contest">Badge Hack Pageant</a> which will return next year. You can check out a collection of photos from our adventures on <a href="https://www.facebook.com/media/set/?set=a.10152952830606946.1073741835.97703891945&amp;type=1&amp;l=d9c0192e0b">Facebook</a> and <a href="https://plus.google.com/photos/113175636916099066477/albums/6190817629039970737?authkey=CNvk-N2K4sLGaw">Google+</a>. Photo goon <a href="https://twitter.com/cannibal">@cannibal</a> has some great shots of the Badge Hack Pageant on <a href="https://www.flickr.com/photos/r6_cannibal/albums/72157657184706305/page2">his Flickr album</a>. Special thanks to AST Cell's <a href="http://hackerphotos.com/">HackerPhotos.com</a>!</p>
<p>While it is nigh impossible to name all of the ardent digital freedom supporters we meet at these events, we would like to thank some the groups and individuals who found creative ways to raise awareness and funds for EFF's work:</p>
<ul><li><strong>Black Hat</strong> for designating a portion of Business Hall pass sales to support digital rights.</li>
<li><strong>Beard &amp; Moustache Contest</strong> for including EFF and bringing the silliness.</li>
<li><strong>EddieTheYeti</strong> for creating art with extra purpose.</li>
<li><strong>Hack Fortress</strong> for using their talents to support online freedom.</li>
<li><strong>Mohawcon</strong> for braving electrical outages and more with clippers and a smile.</li>
<li><strong>Rapid7</strong> for showing that open source really IS magic!</li>
<li><strong>Wafflecon</strong> for using their sweets for good, not evil.</li>
<li><strong>Wall of Sheep</strong> for their fantastic night-time auction.</li>
<li><strong>The Goons</strong> for being helpful and generous with their time.</li>
</ul><p><a href="https://www.eff.org/files/2015/09/03/defcon-23-fb-500.png"><img src="https://supporters.eff.org/files/defcon-23-fb-200.png" title="DC23 Crypto Noir Member T-Shirt" alt="DC23 Crypto Noir Member T-Shirt" class="align-right" /></a>Thank you to every person who attended an EFF session, stopped to discuss online rights issues, signed up on the mailing list, bought some EFF swag, or renewed their support as a member. Also, I'm pleased to announce that we have a limited number of EFF's special edition DEF CON 23 Crypto Noir member t-shirts <a href="https://www.eff.org/join">available now</a>! You can figure out the puzzle on your own or <a href="https://www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir">read ahead if you like spoilers</a>.</p>
<p>Las Vegas' hacker gatherings are an annual reminder that EFF stands alongside a socially conscious community that is ready to face weighty challenges and big questions about technology with a strong heart and a nerve of steel.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_u6l9h5g"><a class="footnote-label" href="#footnoteref1_u6l9h5g">1.</a> If you have legal concerns regarding an upcoming talk or sensitive information security research that you are conducting at any time, please email info@eff.org. Outline the issues and we will do our best to connect you with the resources you need.</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Cheers%20to%20Digital%20Freedom%20in%20Las%20Vegas&amp;url=https%3A//www.eff.org/deeplinks/2015/08/cheers-digital-freedom-las-vegas&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Cheers%20to%20Digital%20Freedom%20in%20Las%20Vegas&amp;u=https%3A//www.eff.org/deeplinks/2015/08/cheers-digital-freedom-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/08/cheers-digital-freedom-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Cheers%20to%20Digital%20Freedom%20in%20Las%20Vegas&amp;url=https%3A//www.eff.org/deeplinks/2015/08/cheers-digital-freedom-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Sat, 05 Sep 2015 00:04:12 +0000Aaron Jue87459 at https://www.eff.orgAnnouncementCoders' Rights ProjectElectronic Frontier AllianceSpeech that Enables Speech: China Takes Aim at Its Codershttps://www.eff.org/deeplinks/2015/08/speech-enables-speech-china-takes-aim-its-coders
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The maintainer of GoAgent, one of China's more popular censorship circumvention tools emptied out the project's <a href="https://github.com/phuslu/goagent/">main</a> source code <a href="https://github.com/goagent/goagent">repositories</a> on Tuesday. Phus Lu, the developer, renamed the repository’s description to “Everything that has a beginning has an end”. Phus Lu’s Twitter account's historywas also deleted, except for a <a href="https://twitter.com/phuslu/status/636186971631677440">single tweet</a> that linked to a Chinese translation of Alexander Solzhenitsyn’s <a href="http://www.washingtonpost.com/wp-dyn/content/article/2008/08/04/AR2008080401822_pf.html">“Live Not By Lies”</a>. That essay was originally published in 1974 on the day of the Russian dissident’s arrest for treason.</p>
<p>We can guess what caused Phus Lu to erase over four years’ work on an extremely popular program from the brief comments of another Chinese anti-censorship programmer, Clowwindy. Clowwindy was the chief developer of ShadowSocks, another tool that circumvented the Great Firewall of China by creating an encrypted tunnel between a simple server and a portable client. Clowwindy also deleted his or her Github repositories last week. In a comment on the now empty Github archive Clowwindy <a href="https://en.greatfire.org/blog/2015/aug/chinese-developers-forced-delete-softwares-police">wrote in English</a>:</p>
<blockquote><p>Two days ago the police came to me and wanted me to stop working on this. Today they asked me to delete all the code from Github. I have no choice but to obey.</p></blockquote>
<p>The author deleted that comment too shortly afterwards.</p>
<p>Github, the host for both repositories, reported a DDoS attack on the days between these two incidents. While Github has not commented on the source of the current attack, <a href="https://citizenlab.org/2015/04/chinas-great-cannon/">the evidence strongly suggests</a> that a previous DDoS against Github in March was <a href="https://www.eff.org/deeplinks/2015/04/china-uses-unencrypted-websites-to-hijack-browsers-in-github-attack">conducted by the Chinese government</a> to pressure the company to remove the repositories of two other anti-censorship programs.</p>
<p>The Chinese government’s control of the Internet passes through regular waves of enhanced repression, often tied to a significant political event or protest. Many commentators have connected a current wave of <a href="http://chinadigitaltimes.net/2015/08/beijing-shuts-commemoration-parade-rehearsal">media and Internet crackdowns</a> to a forthcoming military parade commemorating World War II in Beijing on September 3.</p>
<p>But even as a peak moment in a temporary spate of repression, the intimidation of GoAgent and ShadowSock’s creators represents a continuing escalation by the authorities against technologists.</p>
<p>Chinese law has long forbidden the selling of telecommunication services that bypass the Great Firewall of China, as well as the creation or distribution of “harmful information”. Until recently, however, the authorities have not targeted the authors of non-commercial circumvention software, nor its users. <a href="http://www.hrichina.org/en">Human Rights in China</a>, a Chinese rights advocacy and research organization, told EFF that, based on its preliminary review, VPNs and circumvention software is not specifically prohibited under Chinese law. While the state interferes with people's ability to use such software, it has not outlawed the software itself.</p>
<p>In November, Phus Lu wrote a public declaration to <a href="http://www.chinagfw.org/2014/11/goagent.html">clarify </a><a href="http://www.chinagfw.org/2014/11/goagent.html"> this </a><a href="http://www.chinagfw.org/2014/11/goagent.html">p</a>oint. In the statement, he stated that he has received no money to develop GoAgent, provided no circumvention service, nor asserted any political view.</p>
<p>Phus Lu’s caution at that time was prompted by the police questioning of another technologist, Xu Dong, a supporter of the Hong Kong opposition Umbrella Movement who was detained in the same month for <a href="http://chinachange.org/2014/11/12/young-it-professional-detained-for-developing-software-to-scale-gfw-of-china/">“picking quarrels and creating disturbances”</a>. According to the Washington-based blog China Change, Xu Dong, who goes by the nym <a href="https://twitter.com/onionhacker">Onionhacker</a> online, had also been working on censorship circumvention code. During his detention he was told by the police that he had committed “crimes of developing software to help Chinese Internet users scale the Great Fire Wall of China.”</p>
<p>Even if it's unclear what law Xu Dong had broken, if any, in November, the legal and political climate has grown even more aggressively anti-Internet since then. A new <a href="http://chinalawtranslate.com/2015nsl/?lang=en">National Security Law</a> came into effect on July 1 , which provides the authorities with a wide remit to oversee “internet information technology produces and services” that impact national security (Art. 59), as well as maintain <a href="https://en.wikipedia.org/wiki/Network_Sovereignty">“network sovereignty”</a> (Art. 25). It seems that is already being interpreted to include the creators of circumvention software. A sweeping <a href="http://chinalawtranslate.com/cybersecuritydraft/?lang=en">bill on cyber-security</a> is also in the works.</p>
<p>The targeting of software developers by China is a new and worrying trend, but one that we’re seeing occur around the world. Authorities everywhere are realising that one way to sabotage free expression is to intimidate those who build the tools that enable that speech.</p>
<p>Technologists like Phus Lu, Clowwindy and Xu Dong are now facing the same political scrutiny and intimidation in authoritarian regimes as independent writers, publishers, poets or journalists did in Solzhenitsyn’s time. <a href="https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech">Code is speech</a>: and using police intimidation to compel these creators to delete their code repositories is as serious a violation of human rights law as compelling a writer to burn his or her own books.</p>
<p>It’s also as ultimately futile: while the Chinese authorities have chosen to target and disrupt two centralised stores of code, thousand of forked copies of the same software exist—both on other accounts on Github and in private copies around the Net. ShadowSocks and GoAgent represent hours of creative work for their authors, but the principle behind them is reproducible by many other coders. The Great Firewall may be growing more sophisticated in detecting and blocking new circumvention systems, but even as it does so, so new code blossoms.</p>
<p>Meanwhile the intimidation of programmers remains a violation of the human rights of the coder—and a blow to the rights of everyone who relies on their creativity to exercise their own rights.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Speech%20that%20Enables%20Speech%3A%20China%20Takes%20Aim%20at%20Its%20Coders&amp;url=https%3A//www.eff.org/deeplinks/2015/08/speech-enables-speech-china-takes-aim-its-coders&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Speech%20that%20Enables%20Speech%3A%20China%20Takes%20Aim%20at%20Its%20Coders&amp;u=https%3A//www.eff.org/deeplinks/2015/08/speech-enables-speech-china-takes-aim-its-coders" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/08/speech-enables-speech-china-takes-aim-its-coders" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Speech%20that%20Enables%20Speech%3A%20China%20Takes%20Aim%20at%20Its%20Coders&amp;url=https%3A//www.eff.org/deeplinks/2015/08/speech-enables-speech-china-takes-aim-its-coders" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 28 Aug 2015 19:37:56 +0000Danny O&#039;Brien87572 at https://www.eff.orgNews RoundupFree SpeechCoders' Rights ProjectInternationalDeep Dive into Crypto “Exceptional Access” Mandates: Effective or Constitutional—Pick Onehttps://www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal"><span>Readers of these pages will be </span><span><a href="https://www.eff.org/deeplinks/2015/02/eff-nsa-if-rule-law-important-start-acting-it"><span>familiar with the debate</span></a></span><span> going on between government officials and technologists around the world about law enforcement’s perceived need to access the content of any and all encrypted communications.<a class="see-footnote" id="footnoteref1_bfkyrhe" title="This debate often combines and indeed confuses encryption of devices and storage with encryption of communications, which may raise different issues. This post focuses on issues specific to encrypted communications" href="#footnote1_bfkyrhe">1</a></span><span></span></p>
<p class="MsoNormal"><span>In this in-depth post, we’ll discuss why—in order to be effective—any legal mandate requiring cryptographic communications systems to be designed to retain the ability to provide law enforcement “exceptional access” to encrypted content would violate the First Amendment. </span><span></span></p>
<p class="MsoNormal"><span>Last month, the Washington Post’s editorial board </span><span><a href="https://www.washingtonpost.com/opinions/putting-the-digital-keys-to-unlock-data-out-of-reach-of-authorities/2015/07/18/d6aa7970-2beb-11e5-a250-42bd812efc09_story.html"><span>doubled down</span></a></span><span> on the side of exceptional access, suggesting that Silicon Valley’s “paragons of innovation” ought to more clearly “acknowledge the legitimate needs” of law enforcement—and presumably give the FBI exactly what it’s asking for. That suggestion came even after the editorial board acknowledged that both </span><span><a href="https://static.newamerica.org/attachments/3138--113/Encryption_Letter_to_Obama_final_051915.pdf"><span>industry</span></a></span><span> and </span><span><a href="http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8"><span>academic experts</span></a></span><span> uniformly tell us that giving the government exceptional access to our data would be a dangerous idea from a cryptographic perspective, putting our security at significant risk. </span><span></span></p>
<p class="MsoNormal"><span>And just this week, in the New York Times, law enforcement officials from New York, London, Paris, and Madrid </span><span><a href="http://www.nytimes.com/2015/08/12/opinion/apple-google-when-phone-encryption-blocks-justice.html"><span>published a similarly flawed op-ed</span></a></span><span> discussing device encryption, using misleading anecdotes in an </span><span><a href="https://www.eff.org/deeplinks/2015/08/it-again-law-enforcement-officials-anti-encryption-new-york-times-op-ed"><span>attempt to frighten the public</span></a></span><span> into accepting their vision of total surveillance through undermined crypto.</span><span></span></p>
<p class="MsoNormal"><span>But a mandate that developers weaken encryption systems to suit the whim of law enforcement isn’t just a technically bad idea; any such mandate would necessarily be either ineffective or unconstitutional.</span><span></span></p>
<p class="MsoNormal"><b><u><span>What would an “exceptional access” mandate actually mean?</span></u></b><span></span></p>
<p class="MsoNormal"><span>Although no legislation has yet been proposed, government officials such as FBI director James Comey have repeated their position enough over the last several months to make it clear, if not logically consistent: the FBI </span><span><a href="https://www.eff.org/deeplinks/2015/07/fbis-revival-crypto-wars-part-ii-continues-two-hearings-congress"><span>says its supports “strong encryption,”</span></a></span><span> but it wants the ability to read <i>any and all</i> encrypted messages if it has the proper legal authority.</span><span></span></p>
<p class="MsoNormal"><span>If the government really is serious about creating a legislative requirement that law enforcement always be able to access the content of a communication, simply requiring companies like Apple to redesign their systems won’t be enough. Why? Because every terrorist, pedophile, mafioso, and run-of-the-mill crook will be able to simply stop using iMessage or WhatsApp and turn instead to one of the many apps that implement end-to-end cryptography without the FBI’s hypothetical golden key. Or they could simply use strong encryption protocols like OTR<a class="see-footnote" id="footnoteref2_a9qqlq8" title="OTR, short for “off-the-record,” is a protocol that allows people to have truly end-to-end encrypted communications over otherwise unencrypted channels like Google Chat or Facebook Messenger." href="#footnote2_a9qqlq8">2</a> on top of other messaging services.</span><span></span></p>
<p class="MsoNormal"><span>Back in the 1990s when Congress passed </span><span><a href="https://www.eff.org/issues/calea"><span>CALEA</span></a></span><span>, the overwhelming majority of our communications went through centralized service providers—mostly phone companies. CALEA’s mandate that phone companies make it possible for law enforcement to wiretap their customers was in large part effective, because there wasn’t much else people could use to communicate. </span><span></span></p>
<p class="MsoNormal"><span>But the app economy has changed all that. Today, centralized service providers aren’t the only option for communications applications; instead you often have a range of options for communicating on a given service or platform. Take for example ChatSecure, a mobile app that implements OTR. ChatSecure, like nearly every OTR implementation, doesn’t depend on any specific service provider and indeed is designed to add end-to-end encryption to other providers’ unencrypted chat services. A mandate that the provider of the chat service, e.g., Google Chat, be able to provide plaintext on demand would be rendered meaningless for anyone using ChatSecure. There is no way that such providers can do so, because they don’t have access to the keys.</span><span></span></p>
<p class="MsoNormal"><span>As Stanford computer scientist, lawyer, and former EFF intern </span><span><a href="http://webpolicy.org/2015/04/28/you-cant-backdoor-a-platform/"><span>Jonathan Mayer put it</span></a></span><span>:</span><span></span></p>
<blockquote><p class="MsoNormal"><span>In order to believe that [exceptional access] will work, we have to believe there is a set of criminals . . . not smart enough to do <i>any</i> of the following:</span><span></span></p>
<p class="MsoNormal"><span><span>·<span> </span></span></span><span>Install an alternative storage or messaging app.</span><span></span></p>
<p class="MsoNormal"><span><span>·<span> </span></span></span><span>Download an app from a website instead of an official app store.</span><span></span></p>
<p class="MsoNormal"><span><span>·<span> </span></span></span><span>Use a web-based app instead of a native mobile app.</span><span></span></p>
</blockquote>
<p class="MsoNormal"><span>It’s difficult to believe that many criminals would fit the profile.</span><span></span></p>
<p class="MsoNormal"><span>Meanwhile, members of the technical community have been clear that government calls for exceptional access are exceptionally dangerous from a cryptographic perspective. Any system that allows the government access to encrypted communications would entail the need for third parties to hold cryptographic materials or the plaintext of messages. As </span><span><a href="http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf"><span>a recent paper</span></a></span><span> by <span>an all-star cast of computer scientists and security researchers explained,</span> this is highly risky because it increases system complexity and provides juicy targets for attackers. </span><span></span></p>
<p class="MsoNormal"><span>The technological problems with safely implementing escrowed or split-key crypto should be enough to end this so-called debate now. However, from a legal perspective, an exceptional access mandate is more objectionable for what it would do to the cutting edge of cryptographic development: stop it dead. </span><span></span></p>
<p class="MsoNormal"><b><u><span>What does the First Amendment have to say about a crypto mandate?</span></u></b><span></span></p>
<p class="MsoNormal"><span>In spite of all the fervent op-eds, the government seems reluctant to actually put forward a proposal for an exceptional access mandate. That may well be because this law would act as what’s known as a “prior restraint.” Prior restraints are almost never permissible under the First Amendment, so a crypto mandate would be highly vulnerable to constitutional challenge. EFF has worked to establish and strengthen First Amendment protections for encryption, and we’d welcome the opportunity to take that case. In the rest of this section, we’ll explain why we think we’d win.</span><span></span></p>
<p class="MsoNormal"><b><u><span>What is a prior restraint?</span></u></b><span></span></p>
<p class="MsoNormal"><span>A prior restraint is a government action that prevents people from speaking or publishing before they have a chance to do so. (That’s in contrast to a punishment imposed after someone speaks. Think of a lawsuit for defamation that results in a defendant paying a monetary judgment for something she said about the plaintiff.) Prior restraints have an important place in the history of the First Amendment. In the seventeenth century, operators of printing presses in England were </span><span><a href="https://en.wikipedia.org/wiki/Freedom_of_the_press#Great_Britain"><span>required to obtain licenses</span></a></span><span> from the government in order to publish. As the U.S. Supreme Court explained in 1931 in </span><span><a href="https://scholar.google.com/scholar_case?case=10240616562166401834"><i><span>Near v. Minnesota</span></i></a></span><span>, the drafters of the Bill of Rights, </span><span><a href="http://press-pubs.uchicago.edu/founders/documents/amendI_speechs24.html"><span>including notably James Madison</span></a></span><span>, were deeply worried that the new American government might pass similar laws, which the Court called “the essence of censorship.” This is one of the main concerns that led to the First Amendment’s guarantee of freedom of the press, which in the modern era extends beyond the operators of printing presses to all speakers.</span><span></span></p>
<p class="MsoNormal"><span>Because prior restraints are central to the motivating purpose of the First Amendment, the Supreme Court has been extremely hostile to laws that restrict speech in advance. In fact, no prior restraint considered by the Supreme Court has ever been upheld. Most famously, the Court </span><span><a href="https://scholar.google.com/scholar_case?case=17571244799664973711"><span>struck down a lower court’s injunction against the publication</span></a></span><span> of the so-called Pentagon Papers by the New York Times and the Washington Post in 1971 despite the government’s claim that the publication would cause grave harm to national security. Coming out of these cases, prior restraints are said to </span><span><a href="https://scholar.google.com/scholar_case?case=2489199669673453004"><span>bear a “heavy presumption</span></a></span><span>” against their constitutionality. Courts often employ a hard-to-meet checklist, under which prior restraints must be (1) necessary to prevent a harm to a governmental interest of the highest order; absent which (2) irreparable harm will definitely occur; (3) no alternative exists; and (4) the prior restraint will actually prevent the harm. </span><span></span></p>
<p class="MsoNormal"><b><u><span>Why is a crypto mandate a prior restraint? </span></u></b><span></span></p>
<p class="MsoNormal"><span>To recap, laws that prevent authors from publishing are almost always unconstitutional. So if we can show that a crypto mandate acts to prevent publication or speech, it’s probably toast. What’s left is the connection between encryption software and free speech. Fortunately, the legal principle that code is speech is near and dear to EFF’s heart. In the 1990’s, we successfully argued </span><span><a href="https://www.eff.org/deeplinks/2015/04/remembering-case-established-code-speech"><i><span>Bernstein v. DOJ</span></i></a></span><span> to the Ninth Circuit Court of Appeals on behalf of cryptographer Daniel J. Bernstein, establishing that laws prohibiting the export of cryptography software without a license were prior restraints, and that software code is expression protected by the First Amendment.</span><span><a class="see-footnote" id="footnoteref3_d4zeiuk" title="Although the Ninth Circuit later withdrew its opinion in Bernstein, the lower court’s opinion remains good law, and the Sixth Circuit reached similar conclusions in 2000 in Junger v. Daley." href="#footnote3_d4zeiuk">3</a></span><span></span></p>
<p class="MsoNormal"><span>Because there’s no proposal for a crypto mandate yet on the table, we have to guess at what it might look like. It might be something like CALEA, requiring service providers to architect their systems in such a way as to make exceptional access possible. Some would argue that this might not be a prior restraint, since it only affects what <i>services</i> providers can offer. But this is where the issue of effectiveness becomes paramount. As we described above, it’s naive to think that a mandate aimed only at service providers would prevent criminals from using strong encryption; they’d simply use apps that offer it on top of insecure messaging services, for example. </span><span></span></p>
<p class="MsoNormal"><span>That’s why in order to be effective, a mandate would have to also sweep in the developers of apps that offer end-to-end encryption, though the government has been reluctant to say that outright. But requiring developers to maintain the capability to provide law enforcement access to all encrypted communications would halt the state of the art of development in end-to-end encryption. For instance, because Moxie Marlinspike and Trevor Perrin’s advanced </span><span><a href="https://whispersystems.org/blog/advanced-ratcheting/"><span>Axolotl cryptographic ratchet</span></a></span><span> implements forward secrecy and future secrecy, no system implementing that protocol as intended <span>could be permitted. </span></span><span></span></p>
<p class="MsoNormal"><span>Put another way, the government would be telling developers they cannot produce software (and publish open source code) that implements features incompatible with exceptional access. To see why that’s a clear prior restraint, imagine the government restricted use of certain emoji. The </span><span><a href="http://emojipedia.org/cactus/"><span>cactus</span></a></span><span> is cool, but the </span><span><a href="http://emojipedia.org/pile-of-poo/"><span>smiling pile of poop</span></a></span><span> is verboten. Like emoji, code is a form of speech, and publishing code that has certain features would be outlawed. </span><span></span></p>
<p class="MsoNormal"><span>In light of this simple equation, a law requiring exceptional access would be on very thin ice. The government would have to show that not having the mandate will “result in direct, immediate, and irreparable damage” to national security or safety, in the words of Justice Stewart in the Pentagon Papers case. Many apps offer such features today, so it’s hard to imagine a court seeing this necessity. What’s more, prior restraints must be effective—they must actually work—in order to be constitutional. But given the nature of open source development, even a crypto mandate that applied to apps offering end-to-end encryption would fail to take down every fork of every project, </span><span><a href="https://www.lawfareblog.com/five-hard-encryption-questions"><span>particularly those developed outside the United States</span></a></span><span>.<a class="see-footnote" id="footnoteref4_6se8lan" title="A similar analysis would also apply to an argument that a crypto mandate is a so-called content-based restriction on speech that fails strict scrutiny." href="#footnote4_6se8lan">4</a></span><span></span></p>
<p class="MsoNormal"><b><u><span>Any mandate that would require developers to permit law enforcement “exceptional access” would either be an unconstitutional prior restraint or entirely ineffective.</span></u></b><span></span></p>
<p class="MsoNormal"><span>FBI Director Comey has been crystal clear in one respect: he wants a valid search warrant to result in the return of plaintext, every time, no matter what. He doesn’t particularly care how developers get there; all he knows is he wants the goods. But unlike the last time around when CALEA was passed, secure communications no longer depend on tools developed by service providers. If Apple is forced to backdoor iMessage, everyone interested in privacy and security—including the criminals who most worry Comey—will simply switch to something like OTR, and he will be out of luck. And because banning OTR (or forcing the developers to implement any kind of exceptional access) would amount to a prior restraint, we urge Congress to reject law enforcement’s call for sweeping legislation. But if Congress fails to listen to reason and passes an exceptional access mandate, you can expect to see us challenge it in court.</span><span></span></p>
<ul class="footnotes"><li class="footnote" id="footnote1_bfkyrhe"><a class="footnote-label" href="#footnoteref1_bfkyrhe">1.</a> This debate often combines and indeed confuses encryption of devices and storage with encryption of communications, which may raise different issues. This post focuses on issues specific to encrypted communications</li>
<li class="footnote" id="footnote2_a9qqlq8"><a class="footnote-label" href="#footnoteref2_a9qqlq8">2.</a> OTR, short for “off-the-record,” is a protocol that allows people to have truly end-to-end encrypted communications over otherwise unencrypted channels like Google Chat or Facebook Messenger.</li>
<li class="footnote" id="footnote3_d4zeiuk"><a class="footnote-label" href="#footnoteref3_d4zeiuk">3.</a> Although the Ninth Circuit later withdrew its opinion in <em>Bernstein</em>, the lower court’s opinion remains good law, and the Sixth Circuit reached similar conclusions in 2000 in <a href="https://scholar.google.com/scholar_case?case=2653838863893184007"><em>Junger v. Daley</em></a>.</li>
<li class="footnote" id="footnote4_6se8lan"><a class="footnote-label" href="#footnoteref4_6se8lan">4.</a> A similar analysis would also apply to an argument that a crypto mandate is a so-called content-based restriction on speech that fails strict scrutiny.</li>
</ul></div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/bernstein-v-us-dept-justice">Bernstein v. US Department of Justice</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Deep%20Dive%20into%20Crypto%20%E2%80%9CExceptional%20Access%E2%80%9D%20Mandates%3A%20Effective%20or%20Constitutional%E2%80%94Pick%20One&amp;url=https%3A//www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Deep%20Dive%20into%20Crypto%20%E2%80%9CExceptional%20Access%E2%80%9D%20Mandates%3A%20Effective%20or%20Constitutional%E2%80%94Pick%20One&amp;u=https%3A//www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Deep%20Dive%20into%20Crypto%20%E2%80%9CExceptional%20Access%E2%80%9D%20Mandates%3A%20Effective%20or%20Constitutional%E2%80%94Pick%20One&amp;url=https%3A//www.eff.org/deeplinks/2015/08/deep-dive-crypto-exceptional-access-mandates-effective-or-constitutional-pick-one" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 14 Aug 2015 00:03:47 +0000Andrew Crocker and Nate Cardozo87403 at https://www.eff.orgExport ControlsCoders' Rights ProjectCALEAEncrypting the WebEFF's DEF CON 23 T-Shirt Puzzle: Crypto Noirhttps://www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>This summer EFF unveiled the sixth limited edition member's t-shirt for the 23rd annual <a href="https://www.eff.org/DC23">DEF CON</a>, the premier world hacker conference in Las Vegas. This year’s design, like the shirts we produced in <a href="https://www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved">2013</a> and <a href="https://www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained">2014</a>, includes a puzzle that involves the use of encryption.</p>
<p>The front of this year’s shirt features a long cipher text, displayed in a 1940s typeface:</p>
<p></p><center><a href="https://www.eff.org/files/2015/08/12/defcon-2015-front.jpg"><img src="/files/2015/08/12/defcon-2015-front.jpg" alt="" title="EFF's DC23 Shirt Front" height="461" width="341" /></a></center>
<p>Here's the string for those following along at home:</p>
<blockquote><p>5c91dd90f2958c976a73a54aac97f2559eab74b3fd72e7695fd77ba0994d0772bd41510e2b1c61a5a8215ba5b88b617c</p></blockquote>
<p>In keeping with DEF CON's “film noir” theme for this year, the back of the shirt features an illustration of a fatale-istic detective surrounded by clues. Unpack the clues correctly, and you can decode the cipher text to uncover a secret message!</p>
<p></p><center><a href="https://www.eff.org/files/2015/08/12/defcon-2015-back.jpg"><img src="/files/2015/08/12/defcon-2015-back.jpg" alt="" title="EFF's DC23 Shirt Back" height="471" width="697" /></a></center>
<p>The detective is seated in front of a device that may be familiar to history buffs. It’s not a typewriter, but rather an Enigma machine, used by the Nazis in WWII to encrypt military communications. The Allies eventually broke the Enigma code with the help of Alan Turing, father of modern computing — a story told recently in the the film The Imitation Game. (Which side is our detective working for? A hint is provided by the inclusion of the <a href="https://en.wikipedia.org/wiki/Cross_of_Lorraine">Croix de Lorraine</a> on her lapel.)</p>
<p>The original Enigma machine had three rotors with changeable settings, each with three digits. Not coincidentally, a trio of three-digit clues printed in glow-in-the-dark ink becomes apparent when the garment is viewed under a blacklight or in a darkened room:</p>
<p></p><center><a href="https://www.eff.org/files/2015/08/12/defcon-2015-back2.jpg"><img src="/files/2015/08/12/defcon-2015-back2.jpg" alt="" title="EFF's DC23 Shirt Back Under Cover of Night" height="464" width="691" /></a></center>
<blockquote><p>EFF<br />
DES<br />
II - III - IV</p></blockquote>
<p>The glow also reveals another cipher text, (WUTZABRN), floating in the steam emerging from a coffee cup marked with a key.</p>
<p>Using an online Enigma emulator, a clever detective can use the three Enigma settings to descramble the key, which reveals the following:</p>
<blockquote><p>BACKDOOR</p></blockquote>
<p>The “DES” on the wall was also a clue for the front cipher text, which decrypted (using the key in Electronic Codebook mode) and the “BACKDOOR" key to “Join the resistance. VHTWCMZTYOGZIJRDAUB.” Running this new cipher text back through the Enigma yielded “ENCRYPTALLTHETHINGS” — Encrypt all the things.</p>
<p><img src="/files/2015/08/12/dc23winnersb.jpg" alt="" class="align-right" title="Cheers to CryptoK, pseudoku, and Elegin!" height="226" width="337" />Congratulations to our three winners CryptoK, pseudoku, Elegin who successfully solved the puzzle with only minutes left of the conference! Notably, they found that if you swap rotor 2 and 3 in our puzzle you get ISRTPNHW which is an anagram for PWNSHIRT. This seasoned team also solved EFF's 2013 shirt, and won the DEF CON badge challenge for <a href="http://elegin.com/">three consecutive years</a>. Nothing brings people together quite like encryption and digital freedom. <strong><em>Join the resistance—encrypt all the things.</em></strong></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%27s%20DEF%20CON%2023%20T-Shirt%20Puzzle%3A%20Crypto%20Noir&amp;url=https%3A//www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%27s%20DEF%20CON%2023%20T-Shirt%20Puzzle%3A%20Crypto%20Noir&amp;u=https%3A//www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%27s%20DEF%20CON%2023%20T-Shirt%20Puzzle%3A%20Crypto%20Noir&amp;url=https%3A//www.eff.org/deeplinks/2015/08/effs-def-con-23-t-shirt-puzzle-crypto-noir" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 12 Aug 2015 21:47:55 +0000Aaron Jue and Hugh D&#039;Andrade and Kurt Opsahl87376 at https://www.eff.orgAnnouncementCoders' Rights ProjectThe Endless Summer of Hacker Conferenceshttps://www.eff.org/deeplinks/2015/08/endless-summer-hacker-conferences
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="https://www.eff.org/files/images_insert/DCXX-Mohawk.jpg" title="Buzzed for EFF - Mohawk-Con strikes again!" alt="Buzzed for EFF." class="align-right" height="172" hspace="5px" width="278" />Each summer the Electronic Frontier Foundation joins tens of thousands of computer security professionals, academic researchers, tech tinkerers, and curious onlookers at a series of bleeding-edge hacker conferences in Las Vegas. EFF has been a proud supporter of these communities since our founding twenty-five years ago, and we make a concerted effort to ensure that con-goers know that there is an active movement to protect digital freedom around the world. We renewed this commitment during the 2008 summer hacker events by launching the <a href="https://www.eff.org/issues/coders">Coders' Rights Project</a> to help programmers and developers navigate the murky laws* surrounding security research.</p>
<p>Below, you'll find a listing of talks and activities with EFF attorneys, technologists, and activists this week. You can refer to this post for quick reference at <a href="https://eff.org/LasVegas2015">eff.org/LasVegas2015</a>. If you are heading to any of these conferences please stop by the EFF booth to say hello, learn more about recent projects, or tell us what you think about our work. It's also a great opportunity to <a href="https://www.eff.org/renew">renew your EFF membership</a> and pick up the newest member swag! We hope to see you soon in your <a href="https://www.facebook.com/MohawkCon">summer mohawk</a>.</p>
<h2><a href="https://www.eff.org/event/eff-security-bsideslv-2015">EFF at Security BSidesLV</a></h2>
<p><em><strong>Ask the EFF Panel</strong></em>, Wednesday at 6 PM</p>
<h2><a href="https://www.eff.org/event/eff-black-hat-briefings-usa-0">EFF Black Hat USA</a></h2>
<p><em><strong>How the Wassenaar Arrangement's Export Control of "Intrusion Software" Affects the Security Community</strong></em>, Mandalay Bay BCD, Thursday, August 6 at 11 am</p>
<p><em><strong>Is the NSA Still Listening to Your Phone Calls? A Surveillance Debate: Congressional Success or Epic Fail</strong></em>, Mandalay Bay BCD, Thursday, August 6 at 2:30 pm</p>
<h2><a href="https://www.eff.org/DC23">EFF at DEF CON</a></h2>
<p><em><strong>Licensed to Pwn: The Weaponization and Regulation of Security Research</strong></em>, Friday at 11:00, Track Two</p>
<p><em><strong>Fighting Back in the War on General Purpose Computers</strong></em>, Friday at 11:00, Track Three</p>
<p><em><strong>Crypto and Privacy Village Keynote</strong></em>, Friday at 12:00, CPV</p>
<p><em><strong>Let's Talk about Let's Encrypt</strong></em>, Friday at 15:00, CPV</p>
<p><em><strong>Let's Encrypt - Minting Free Certificates to Encrypt the Entire Web</strong></em>, Saturday at 15:00, Track Four</p>
<p><em><strong>Ask the EFF: The Year in Digital Civil Liberties</strong></em>, Saturday at 18:00, Track Two</p>
<p><strong>EFF Badge Hack Pageant</strong>, Saturday afternoon judging. <a href="https://www.eff.org/DC23Contest">Details</a>.</p>
<h2><a href="http://www.r00tz.org/schedule-2015/">EFF at r00tz Asylum V</a></h2>
<p>r00tz is all about inspiring and empowering the young hackers of tomorrow. EFF will present several kid-friendly talks covering DRM, white-hat hacking, and more. Check the schedule for <a href="http://www.r00tz.org/schedule-2015/">final details</a> soon.</p>
<p><em>*If you have legal concerns regarding an upcoming talk or sensitive information security research that you are conducting at any time, please email <a href="mailto:info@eff.org">info@eff.org</a>. Outline the issues and we will do our best to connect you with the resources you need.</em></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=The%20Endless%20Summer%20of%20Hacker%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2015/08/endless-summer-hacker-conferences&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=The%20Endless%20Summer%20of%20Hacker%20Conferences&amp;u=https%3A//www.eff.org/deeplinks/2015/08/endless-summer-hacker-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/08/endless-summer-hacker-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=The%20Endless%20Summer%20of%20Hacker%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2015/08/endless-summer-hacker-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 03 Aug 2015 19:20:57 +0000Aaron Jue87176 at https://www.eff.orgAnnouncementCoders' Rights ProjectEFF Launches Badge Hacking Contest for DEF CON 23https://www.eff.org/deeplinks/2015/07/eff-launches-badge-hacking-contest-def-con-23
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="/files/2015/07/01/dc23-badge-hack-contestb.jpg" alt="" title="HAX0R 5UPR3ME" width="330" align="right" height="188" /><strong>UPDATE: Judging will take place in the Contests and Events main hall at Bally's at 5 PM on Saturday, August 8, 2015.</strong></p>
<p>The Electronic Frontier Foundation is proud to present the DEF CON 23 Badge Hack Pageant (1337 skills required, swimsuit optional). Now is the time to bring out your sweetest hacks and sickest mods in a no-holds-barred battle for hardware supremacy. You are free to excel in practicality, absurdity, devastating good looks, or all three. Break out your hacker con badge collection and have at it. Our esteemed celebrity judges—badge legends 1057 and Joe "Kingpin" Grand—will decide the fate of contestants.</p>
<p>The path to victory is simple...</p>
<p>1. Enter in one of three categories:<br />
• DEF CON DIGITAL: Circuit board-based badge from DC 1-22<br />
• DEF CON ANALOG: Analog badge from DC 1-22<br />
• WILD CARD: Badge from any other hacker con</p>
<p>2. Get scored at DC23 by a panel of celebrity guest judges based upon these criteria:<br />
• Originality<br />
• Form<br />
• Utility<br />
• ¡X-FACTOR! (overall execution)</p>
<p>3. Identify the badge's origin and wear it around your neck during judging.</p>
<p>4. PROFIT!11!!1one!111 (in the form of bragging rights and gear, at least). EFF will name a winner in each category. Winners will receive special prizes and abundant glory.</p>
<p>There is no limit (except Johnny Law) to what you may add to enhance or embellish your entry. Get started on your entry today and <a href="mailto:membership@eff.org?subject=Badge%20Hack%20Pageant ">let us know</a> which category you plan to enter. Be sure to sign up officially for the competition at EFF’s Contest booth in Las Vegas. Contestants must be present for the judging session on Saturday at DEF CON to win. EFF celebrates your ability to pwn what you own.</p>
<p><em>EFF is a member-funded nonprofit organization that has fought to protect digital privacy, free expression, and innovation for 25 years. Our court work, activism, and tech projects aim to support individual rights worldwide. Consider donating to EFF at DEF CON or <a href="https://www.eff.org/EFF25">becoming an annual member today</a>.</em></p>
<p></p><center><a href="https://www.eff.org/files/2015/07/02/img_20150702_143409069b.jpg"><img src="/files/2015/07/02/img_20150702_143409069c.jpg" alt="" title="Get cracking." width="487" height="292" /></a></center>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20Launches%20Badge%20Hacking%20Contest%20for%20DEF%20CON%2023&amp;url=https%3A//www.eff.org/deeplinks/2015/07/eff-launches-badge-hacking-contest-def-con-23&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20Launches%20Badge%20Hacking%20Contest%20for%20DEF%20CON%2023&amp;u=https%3A//www.eff.org/deeplinks/2015/07/eff-launches-badge-hacking-contest-def-con-23" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/07/eff-launches-badge-hacking-contest-def-con-23" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20Launches%20Badge%20Hacking%20Contest%20for%20DEF%20CON%2023&amp;url=https%3A//www.eff.org/deeplinks/2015/07/eff-launches-badge-hacking-contest-def-con-23" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 02 Jul 2015 22:19:23 +0000Aaron Jue86590 at https://www.eff.orgAnnouncementCoders' Rights ProjectDamn the Equities, Sell Your Zero-Days to the Navy!https://www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p dir="ltr">Noted eagle eye and EFF Investigative Researcher Dave Maass <a href="https://twitter.com/maassive/status/609057962716348416">happened on</a> an interesting item from earlier this week on <a href="https://www.fbo.gov/">FedBizOpps</a>, the site for government agencies to post contracting opportunities. The Navy put up a <a href="https://www.eff.org/document/navy-soliciation-common-vulnerability-exploit-products">solicitation</a> explaining that the government wants “access to vulnerability intelligence, exploit reports and operational exploit binaries affecting widely used and relied upon commercial software,” including Microsoft, Adobe, Android, Apple, “and all others.” If that weren’t clear enough, the solicitation explains that “the vendor shall provide the government with a proposed list of available vulnerabilities, 0-day or N-day (no older than 6 months old). . . .The government will select from the supplied list and direct development of exploit binaries.”</p>
<p><img src="/files/2015/06/12/navy_0days_-_black.jpg" alt="Fixed that for you. I Want Your 0-Days for The Navy" class="align-right" height="237" width="300" /></p>
<p dir="ltr">Although this solicitation was posted on a publicly accessible site, it seems the Navy didn’t want the attention and pulled it down the day after Dave tweeted about it. (We’ve uploaded the cached copy from Google.) Even so, the fact that the United States government is looking for vendors to sell it software vulnerabilities isn’t news—we’ve known for <a href="https://www.eff.org/deeplinks/2012/03/dangerously-vague-cybersecurity-legislation">some time</a> that the government uses software vulnerabilities, sometimes known as <a href="https://en.wikipedia.org/wiki/Zero-day_attack">zero-days</a>, for offensive intelligence-gathering and espionage. The media has <a href="https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate">also reported</a> on the government’s purchases of zero-days from outside vendors.</p>
<p dir="ltr">What’s more noteworthy is how little regard the government seems to have for the process of deciding to exploit vulnerabilities. As we’ve explained before, the decision to use a vulnerability for “offensive” purposes rather than disclosing it to the developer is one that prioritizes surveillance over the security of millions of users. To its credit, the government has acknowledged that this decision is an extraordinarily important one in every case. It has even reportedly “established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure,” which it calls the <a href="https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">Vulnerabilities Equities Process </a>(VEP). The government says the VEP is entirely classified, and EFF <a href="https://www.eff.org/cases/eff-v-nsa-odni-vulnerabilities-foia">is suing</a> to get it released.</p>
<p dir="ltr">We’re skeptical that any VEP that results in the “majority of cases, responsibly disclosing” the vulnerability to the vendor, as White House spokesman Michael Daniel <a href="https://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">claims</a>, could possibly be consistent with a solicitation such as the one the Navy posted this week. It strikes us as unlikely that the Navy would spend a large sum of money to develop exploits only to turn around and disclose the underlying vulnerabilities back to the vendor. To put it simply, the government is soliciting information about security vulnerabilities no one knows about in products everyone relies on every day—but apparently not to fix them.</p>
<p dir="ltr">The Navy tried to send this particular solicitation down the memory hole, but we’re hopeful that through our FOIA suit, we can shed more light on the conflict between the government’s public statements and its apparent practices surrounding its stockpiling of zero-days. </p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/eff-v-nsa-odni-vulnerabilities-foia">EFF v. NSA, ODNI - Vulnerabilities FOIA </a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Damn%20the%20Equities%2C%20Sell%20Your%20Zero-Days%20to%20the%20Navy%21&amp;url=https%3A//www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Damn%20the%20Equities%2C%20Sell%20Your%20Zero-Days%20to%20the%20Navy%21&amp;u=https%3A//www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Damn%20the%20Equities%2C%20Sell%20Your%20Zero-Days%20to%20the%20Navy%21&amp;url=https%3A//www.eff.org/deeplinks/2015/06/damn-equities-sell-your-zero-days-navy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 12 Jun 2015 21:44:11 +0000Andrew Crocker and Nate Cardozo86307 at https://www.eff.orgNews UpdateCoders' Rights ProjectSecurityTransparencyWhat Is the U.S. Doing About Wassenaar, and Why Do We Need to Fight It?https://www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>On May 20, 2015, the U.S. Department of Commerce's <a href="https://www.bis.doc.gov/">Bureau of Industry and Security</a> (BIS) published its <a href="https://s3.amazonaws.com/public-inspection.federalregister.gov/2015-11642.pdf">proposed implementation</a> of the December 2013 changes to the Wassenaar Arrangement. What follows is a long post, as we're quite troubled by the BIS proposal. In short, we're going to be <a href="https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#addresses">submitting formal comments</a> in response, and you should too.</p>
<h3>What is the Wassenaar Arrangement?</h3>
<p>The Wassenaar Arrangement is a multi-national agreement intended to control the export of certain "dual-use" technologies. It's a voluntary agreement among 41 participating states that mostly regulates the export of guns, other weapons (such as landmines), and their components (such as fissile material). In <a href="https://cyberlaw.stanford.edu/publications/changes-export-control-arrangement-apply-computer-exploits-and-more">December 2013</a>, the list of controlled technologies was amended to include surveillance systems for the first time, in response to reports linking exports of Western surveillance technologies to human rights abuses in countries such as <a href="https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/">Bahrain and the UAE</a>, <a href="https://citizenlab.org/2013/04/for-their-eyes-only-2/">Turkmenistan</a>, and <a href="https://edri.org/edrigramnumber10-10amesys-complicity-in-torture/">Libya</a>.</p>
<p>The Wassenaar Arrangement isn't law on its own; it's not even a treaty. Its effectiveness is dependent on each participating state's individual implementation of the export controls it contains. The European Union's member states implemented <a href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32014R1382">the new rules</a> over the course of 2014, with the rules going into effect at the start of this year. The United States, also a participant in Wassenaar, started work on its implementation in 2014, with a call for comments that closed in October. EFF signed on to <a href="http://www.cs.dartmouth.edu/~sergey/drafts/wassenaar-public-comment.pdf">comments written by Dartmouth Professor Sergey Bratus</a> voicing concerns about the rules' broad scope and their potential effect on security research. Apparently, the Commerce Department didn't fully digest the comments it received last year, as the rules it proposed this month are a disaster.</p>
<p>The Wassenaar Arrangement includes controls for technology connected to "intrusion software." Under Wassenaar, "intrusion software" is defined as:</p>
<blockquote><p>"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network capable device, and performing any of the following:</p>
<p>a. The extraction of data or information, from a computer or network capable device, or the modification of system or user data; or</p>
<p>b. The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.</p></blockquote>
<p>Only the following categories are actually subject to export control:</p>
<blockquote><p>4. A. 5. Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software".</p>
<p>4. D. 4. "Software" specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software".</p>
<p>4. E. 1. c "Technology" for the "development" of "intrusion software".</p>
<p>4. D. 1. a "Software" specially designed or modified for the "development" or "production" of equipment or "software" specified by 4.A. or 4.D.</p>
<p>4. E. 1 "Technology" according to the General Technology Note, for the "development", "production" or "use" of equipment or "software" specified by 4.A. or 4.D.</p></blockquote>
<p>Wassenaar provides a further narrowing of its definitions by including a number of exceptions designed to protect security research. These can be found in the "General Software" and "General Technology" notes. Notably, the controls are not intended to apply to software or technology that is generally available to the public, in the public domain, or part of basic scientific research. We have significant problems with even the narrow Wassenaar language; the definition risks sweeping up many of the common and perfectly legitimate tools used in security research.</p>
<h3>What's the problem with BIS' new proposal?</h3>
<p>In spite of comments encouraging minimal, narrowly-written regulations, BIS has instead proposed an <a href="http://www.gpo.gov/fdsys/pkg/FR-2015-05-20/pdf/2015-11642.pdf">unworkably-broad set of controls</a>, going even further than the European Union implementation in January. Not only does the proposed implementation fail to contain Wassenaar's exceptions, but it goes much further than the Wassenaar text. Specifically, the BIS proposal would add to the list of controlled technology:</p>
<blockquote><p>Systems, equipment, components and software specially designed for the generation, operation or delivery of, or communication with, intrusion software include network penetration testing products that use intrusion software to identify vulnerabilities of computers and network-capable devices.</p></blockquote>
<p>And:</p>
<blockquote><p>Technology for the development of intrusion software includes proprietary research on the vulnerabilities and exploitation of computers and network-capable devices.</p></blockquote>
<p>On its face, it appears that BIS has just proposed prohibiting the sharing of vulnerability research without a license. This is where things get confusing.</p>
<p>According to Randy Wheeler, Director of the Information Technology Controls Division of BIS and participant in an open conference call to discuss the proposed implementation, "there is a policy of presumptive denial for items that have or support rootkit or zero-day exploit capabilities." She went on to say: "We generally agree that vulnerability research is not controlled, nor is the technology related to choosing a target or finding a target, controlled." However, she undermined her message by stating that any software that is used to help develop 0-day exploits for sale <em>would </em>be covered by the proposal. This is tremendously worrisome because security researchers use the very same tools to develop academic <a href="http://www.westpoint.ltd.uk/blog/2014/04/14/understanding-the-heartbleed-proof-of-concept/">proofs of concept</a>, demonstrating that the vulnerabilities they have found are valid, as to develop 0-days for sale. Indeed the only difference between an academic proof of concept and a 0-day for sale is the existence of a price tag. In other words, BIS may think that it's not regulating vulnerability research, but the proposed rules could end up doing just that.<a class="see-footnote" id="footnoteref1_jc22s43" title="If the regulations go into effect as worded, and ultimately do restrict sharing vulnerability research, that would also raise First Amendment issues, which could be the basis for a legal challenge. However, it would be better to stop this terrible proposal before it gets to that point. Along those lines, we're pretty sure that BIS won't be swayed by a First Amendment argument as BIS believes it can leave that analysis to the courts. We therefore plan to leave a detailed First Amendment legal argument out of our comments." href="#footnote1_jc22s43">1</a></p>
<p>The controls BIS is proposing aren't required by Wassenaar, nor are they included in other Wassenaar implementations. For instance, the <a href="https://www.privacyinternational.org/?q=node/588">UK's implementation</a> does not attempt to control the export of exploits or "intrusion software" itself, while a plain reading of the BIS proposal seems to do just that. Similarly, the UK implementation doesn't affect jailbreaking, fuzzing, or vulnerability reporting, while the BIS rules could be interpreted to include them. In other words, the U.S. proposed implementation disregards the protections of Wassenaar's General Notes and goes much further than the equivalent UK rules.</p>
<h3>Where do we go from here?</h3>
<p>BIS has posted a <a href="https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#h-19">request for comments</a> on this proposed rule and the comment period is open through July 20, 2015. BIS is specifically asking for information about the negative effects the proposed rule would have on "vulnerability research, audits, testing or screening and your company's ability to protect your own or your client's networks." We encourage independent researchers, academics, the security community, and companies both inside and outside the U.S. to answer BIS' call and <a href="https://www.federalregister.gov/articles/2015/05/20/2015-11642/wassenaar-arrangement-2013-plenary-agreements-implementation-intrusion-and-surveillance-items#addresses">submit formal comments</a>. Researchers and companies whose work has been hindered by the European regulations, which are notably less restrictive than the U.S. proposal, are also encouraged to submit comments about their experience.</p>
<p>EFF will be submitting our own comments closer to the July 20 deadline, but in the meantime, we'd love it if those of you who are submitting comments to copy us (<a href="mailto:wassenaar@eff.org">wassenaar@eff.org</a>) so that we can collect and highlight the best arguments both in our own comments and on this blog.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_jc22s43"><a class="footnote-label" href="#footnoteref1_jc22s43">1.</a> If the regulations go into effect as worded, and ultimately do restrict sharing vulnerability research, that would also raise First Amendment issues, which could be the basis for a <a href="https://www.eff.org/cases/bernstein-v-us-dept-justice">legal challenge</a>. However, it would be better to stop this terrible proposal before it gets to that point. Along those lines, we're pretty sure that BIS won't be swayed by a First Amendment argument as BIS believes it can leave that analysis to the courts. We therefore plan to leave a detailed First Amendment legal argument out of our comments.</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=What%20Is%20the%20U.S.%20Doing%20About%20Wassenaar%2C%20and%20Why%20Do%20We%20Need%20to%20Fight%20It%3F&amp;url=https%3A//www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=What%20Is%20the%20U.S.%20Doing%20About%20Wassenaar%2C%20and%20Why%20Do%20We%20Need%20to%20Fight%20It%3F&amp;u=https%3A//www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=What%20Is%20the%20U.S.%20Doing%20About%20Wassenaar%2C%20and%20Why%20Do%20We%20Need%20to%20Fight%20It%3F&amp;url=https%3A//www.eff.org/deeplinks/2015/05/we-must-fight-proposed-us-wassenaar-implementation" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 28 May 2015 18:41:27 +0000Eva Galperin and Nate Cardozo86074 at https://www.eff.orgCall To ActionCoders' Rights ProjectInternationalSecurityUnited Airlines Stops Researcher Who Tweeted about Airplane Network Security from Boarding Flight to Security Conferenceshttps://www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Our client, Chris Roberts, a founder of the security intelligence firm One World Labs, found himself <a href="http://www.forbes.com/sites/thomasbrewster/2015/04/17/hacker-tweets-about-hacking-plane-gets-computers-seized/">detained by the FBI</a> earlier this week after tweeting about airplane network security during a United Airlines flight. When Roberts landed in Syracuse, he was questioned by the FBI, which ultimately seized a number of his electronic devices. EFF attorneys now represent Roberts, and we’re working to get his devices back promptly. But unfortunately last week’s tweet and FBI action isn’t the end of the story.</p>
<p>Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is <a href="https://www.rsaconference.com/events/us15/agenda/sessions/1617/security-hopscotch">scheduled to present</a> on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.</p>
<p>Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks <i>so that they can be fixed</i>. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called “<a href="https://www.rsaconference.com/events/us15/agenda/sessions/1617/security-hopscotch">Security Hopscotch</a>” when attempting to board the United flight.</p>
<p>EFF has long been concerned that <a href="https://www.eff.org/deeplinks/2015/04/new-south-wales-attacks-researchers-who-warned-internet-voting-vulnerabilities">knee-jerk responses</a> to <a href="https://www.eff.org/deeplinks/2008/08/mit-students-still-gagged-federal-court">legitimate researchers</a> pointing out security flaws can create a chilling effect in the infosec community. EFF’s <a href="https://www.eff.org/issues/coders">Coders’ Rights Project</a> is intended to provide counseling and legal representation to individuals facing legal threats, which is why we’re glad to represent Chris Roberts. However, we’d also like to see companies recognize that researchers who identify problems with their products in order to have them fixed are their allies. It would avoid a whole lot of trouble for researchers and make us all more secure.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=United%20Airlines%20Stops%20Researcher%20Who%20Tweeted%20about%20Airplane%20Network%20Security%20from%20Boarding%20Flight%20to%20Security%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=United%20Airlines%20Stops%20Researcher%20Who%20Tweeted%20about%20Airplane%20Network%20Security%20from%20Boarding%20Flight%20to%20Security%20Conferences&amp;u=https%3A//www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=United%20Airlines%20Stops%20Researcher%20Who%20Tweeted%20about%20Airplane%20Network%20Security%20from%20Boarding%20Flight%20to%20Security%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2015/04/united-airlines-stops-researcher-who-tweeted-about-airplane-network-security" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Sun, 19 Apr 2015 06:12:50 +0000Andrew Crocker85510 at https://www.eff.orgCoders' Rights ProjectSecurityGuess Who Wasn't Invited to the CIA’s Hacker Jamboree?https://www.eff.org/deeplinks/2015/03/guess-who-wasnt-invited-cias-hacker-jamboree
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Apple, that’s who. Or Microsoft, or any of the other vendors whose products US government contractors have successfully exploited according to a <a href="https://firstlook.org/theintercept/2015/03/10/ispy-cia-campaign-steal-apples-secrets">recent report</a> in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities—that’s their job—we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In <a href="http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities">the White House’s own words</a>, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”</p>
<p><img src="/files/2015/03/10/youaintnofriendofmine.png" alt="TCB graphic" title="TCB Jamboree, satire courtesy of Dimitri Rizek" class="align-right" height="320" width="320" /></p>
<p>Nevertheless, the Intercept article describes an annual CIA conference known as the <a href="https://firstlook.org/theintercept/document/2015/03/10/tcb-jamboree-2012/">Trusted Computing Base (TCB) Jamboree</a><a class="see-footnote" id="footnoteref1_h1ghkeh" title="We have no idea if the organizers of the TCB Jamboree were aware of the coincidence, but as any good Elvis fan knows, the King's personal motto was Taking Care of Business, or TCB for short." href="#footnote1_h1ghkeh">1</a> at which members of the intelligence community present extensively on software vulnerabilities and exploits to be used in spying operations. At the 2012 TCB Jamboree, presenters from Sandia National Laboratories, which is a contractor for the Department of Energy, described an attack on Xcode, the Apple software used to compile applications in Mac OS X and iOS. The “whacked” Xcode exploit, called <a href="https://firstlook.org/theintercept/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/">Strawhorse</a>, enables intelligence agents to implant a version of Xcode on developers' computers which, unbeknownst to the developers, would cause software they compile to include a backdoor or other compromise. If successful, the attack could enable a range of surveillance-friendly applications to be covertly made available to the public. The report suggests that the Sandia team discovered and employed a number of additional vulnerabilities in Apple’s hardware and software, including a vulnerability in Apple's secure element that enabled them to <a href="https://firstlook.org/theintercept/document/2015/03/10/secure-key-extraction-physical-de-processing-apples-a4-processor/">extract a secret key</a>, and one that allowed modification of the OS X updater to install a keylogger. Finally, the report describes similar presentations on Microsoft’s BitLocker software and others.</p>
<p>The vulnerabilities involved in these exploits were almost certainly unknown to Apple itself, and the documents released by the Intercept do not indicate that the CIA or its contractors ever considered disclosing them to the company. Yet this is what the administration’s Vulnerabilities Equities Process requires—a balancing test that weighs the risk to average users of leaving unpatched vulnerabilities against the needs of the intelligence community.</p>
<p>EFF has <a href="https://www.eff.org/cases/eff-v-nsa-odni-vulnerabilities-foia">sued</a> under the Freedom of Information Act (FOIA) to uncover more about the Vulnerabilities Equities Process, which the White House characterized as a set principles that inform “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Naturally, the Office of the Director of National Intelligence and the NSA have been less than forthcoming in response to our FOIA suit, producing <a href="https://www.eff.org/files/2014/12/16/december_15_production_ocr.pdf">only a handful of highly-redacted documents</a> to date. Given the scanty information we’ve received, and the freedom with which the Jamboree attendees seem to stockpile vulnerabilities, we have doubts that the Equities Process is really as “disciplined and rigorous” as the administration claims.</p>
<p>When asked for comment, an <a href="http://www.cnbc.com/id/102492655">unnamed intelligence official told CNBC</a>: "There's a whole world of devices out there, and that's what we're going to do...It is what it is."</p>
<ul class="footnotes"><li class="footnote" id="footnote1_h1ghkeh"><a class="footnote-label" href="#footnoteref1_h1ghkeh">1.</a> We have no idea if the organizers of the TCB Jamboree were aware of the coincidence, but as any good Elvis fan knows, the King's personal motto was <a href="https://en.wikipedia.org/wiki/TCB_Band">Taking Care of Business</a>, or TCB for short.</li>
</ul></div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/eff-v-nsa-odni-vulnerabilities-foia">EFF v. NSA, ODNI - Vulnerabilities FOIA </a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Guess%20Who%20Wasn%27t%20Invited%20to%20the%20CIA%E2%80%99s%20Hacker%20Jamboree%3F&amp;url=https%3A//www.eff.org/deeplinks/2015/03/guess-who-wasnt-invited-cias-hacker-jamboree&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Guess%20Who%20Wasn%27t%20Invited%20to%20the%20CIA%E2%80%99s%20Hacker%20Jamboree%3F&amp;u=https%3A//www.eff.org/deeplinks/2015/03/guess-who-wasnt-invited-cias-hacker-jamboree" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2015/03/guess-who-wasnt-invited-cias-hacker-jamboree" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Guess%20Who%20Wasn%27t%20Invited%20to%20the%20CIA%E2%80%99s%20Hacker%20Jamboree%3F&amp;url=https%3A//www.eff.org/deeplinks/2015/03/guess-who-wasnt-invited-cias-hacker-jamboree" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 11 Mar 2015 00:14:34 +0000Andrew Crocker and Nate Cardozo84980 at https://www.eff.orgCommentaryCoders' Rights ProjectPrivacySecurityAaron Swartz's Work, Computer Crime Law, and "The Internet's Own Boy"https://www.eff.org/deeplinks/2014/08/aaron-swarts-work-internets-own-boy
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="https://act.eff.org/action/reform-computer-crime-law/"><img class="image-right" src="/files/2014/08/26/swartz-curious.jpg" alt="" height="322" width="300" /></a>It’s been more than a year since Aaron Swartz’s tragic death, and now Aaron’s life is the subject of a new documentary, <a href="http://www.takepart.com/internets-own-boy"><i>The Internet’s Own Boy</i></a>, directed by Brian Knappenberger. The documentary has received much <a href="https://en.wikipedia.org/wiki/The_Internet%27s_Own_Boy:_The_Story_of_Aaron_Swartz#Reception">acclaim</a> and deservedly so. It tells the story of a political activist and innovator who put theory into practice, always experimenting and building new tools and methodologies to animate his <a href="http://www.aaronsw.com/weblog/">theory of change</a>.</p>
<p>Aaron Swartz fought for an Internet grounded in community, creativity, and human rights. By co-creating platforms like RSS, reddit, Creative Commons, and the technology that became<a href="http://www.newyorker.com/news/news-desk/strongbox-and-aaron-swartz"> SecureDrop</a>, he helped make information accessible. Perhaps more than anything, Aaron Swartz helped hundreds of thousands of people participate in the political processes that determine the laws we have to live under everyday.</p>
<p>There are so many things that Aaron accomplished by the age of 26 that we thought it may help to make a companion for the film, a guide for those who want to watch with a deeper understanding of the issues behind Aaron’s projects.</p>
<p>We begin with the projects discussed in the film and then examine the <a href="https://www.eff.org/issues/cfaa">Computer Fraud and Abuse Act</a>, the law that was used to indict him on 11 criminal charges before his tragic death.</p>
<h3>Creative Commons and the Problem with Copyright</h3>
<p>As a teenager, Aaron was a core member on the team of lawyers and copyright wonks that developed <a href="https://creativecommons.org/">Creative Commons</a>, a project that simplifies sharing with easy-to-use copyright licenses. Aaron Swartz helped to design the code behind Creative Commons licensing.</p>
<p>Creative Commons was a revolutionary project that remains significant today. It’s a suite of licenses that artists, writers, and other creators can use to enable sharing, remixing, and collaboration. Online, it’s incredibly easy to copy and paste, to edit, and to share instantaneously. Doing so can sometimes run smack in the face of copyright law, which requires explicit permissions to be granted in advance of sharing or using a creative work in many contexts.</p>
<p>Creative commons is more compatible with the intensive sharing environment of the Internet. It allows for artists, makers, programmers, writers, and everyone in between to only reserve some rights, not all rights. With a Creative Commons license, one can encourage the sharing of her work while still being attributed. One can choose not to allow others to monetize a work, but still invite remixing, or block remixing while still encouraging distribution. Brian Knappenberger has made <i>The</i> <i>Internet’s Own Boy</i> available under a Creative Commons license and can be <a href="https://archive.org/details/TheInternetsOwnBoyTheStoryOfAaronSwartz">downloaded and shared for free</a> from the Internet Archive.</p>
<h3>Open Access and Open Government</h3>
<p>A large part of <i>The Internet’s Own Boy</i> traces Aaron’s various projects aimed at furthering the pursuit of information. He wanted to make it easier to learn about the laws that we have to live with everyday, as well as ease access to the academic articles that form the building blocks of our knowledge about the world.</p>
<p>“The world's entire scientific and cultural heritage, published over centuries in books and journals,” reads the <a href="https://archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt">Open Access Manifesto</a>, which was written by Aaron and is quoted in <i>The Internet’s Own Boy</i>, “is increasingly being digitized and locked up by a handful of private corporations.”</p>
<p>Aaron started projects like <a href="https://openlibrary.org">The Open Library</a> that seeks to make one webpage for every book published (imagine a future where we don’t link to Amazon when directing people to a book). And during his brief stint at Stanford, Aaron worked with a law student to download the entire Westlaw database of law review articles and found <a href="http://www.stanfordlawreview.org/print/article/punitive-damages-remunerated-research-and-legal-profession">troubling connections</a> between funders of research and favorable conclusions.</p>
<p>Aaron’s quest led him to the <a href="https://www.pacer.gov/">PACER system</a>, the federal judiciary’s pay-walled public court record database. PACER charges per page to view US court documents that are a matter of public record. Journalists, students, litigants, academics, and all kinds of people need access to the details of the litigation that defines our laws in order to do their work. We shouldn’t have to pay to see the law.</p>
<p>Information activists like <a href="https://en.wikipedia.org/wiki/Carl_Malamud">Carl Malamud</a> have long been critical of PACER and in 2009, when the system launched a project to allow free PACER access at 17 libraries nationwide, Malamud encouraged patrons to download PACER records and share them on an online repository. Aaron Swartz accepted the invitation and wrote a computer program that downloaded 20 million pages of federal court documents. In the process, scores of <a href="https://public.resource.org/scribd/7512583.pdf">privacy violations</a> were found in the PACER documents, which revealed Social Security numbers, Secret Service agents’ identities, and the like, leading to stricter privacy <a href="http://www.nytimes.com/2009/02/13/us/13records.html">enforcement</a> in the courts.</p>
<p>For doing this Swartz became the target of an FBI investigation that was later dropped. But as Malamud remembers in <i>The</i> <i>Internet’s Own Boy</i>, “I’ll grant you that downloading 20 million pages had perhaps exceeded the expectations of the people running the pilot access [PACER] project, but surprising a bureaucrat isn’t illegal.”</p>
<h3>Stopping SOPA</h3>
<p>Aaron Swartz <a href="https://www.youtube.com/watch?v=Fgh2dFngFsg">played a central role</a> in the fight to stop the censorious <a href="https://www.eff.org/issues/coica-internet-censorship-and-copyright-bill">Stop Online Piracy Act</a> (SOPA) that snowballed into the largest online campaign in history. SOPA was a poorly worded bill would have allowed the Department of Justice to shut down entire Internet domains because content posted on a single website might be infringing copyright—and without a trial.</p>
<p>Swartz co-founded <a href="dempandprogress.org">Demand Progress</a>, a digital rights organization that EFF continues to work with closely today. Demand Progress was instrumental in organizing the grassroots outcry; they boiled down the bill into super simple language and asked that people take a quick action to stop it. Most people in DC were trying to make slight improvements to a terrible bill, but Demand Progress, along with EFF, Fight for the Future, and Public Knowledge, and others mounted a campaign to stop it completely.</p>
<p>Wikipedia, Mozilla, Google, and countless others <a href="https://en.wikipedia.org/wiki/Protests_against_SOPA_and_PIPA">blacked out</a> websites and displayed banners over their logos sending people to a petition to oppose the bill. It worked. SOPA didn’t pass, and today it remains one of the most important chapters in the history of the digital rights movement.</p>
<h3>The Computer Fraud and Abuse Act</h3>
<p>“There’s no justice in following unjust laws,” reads the <a href="https://archive.org/stream/GuerillaOpenAccessManifesto/Goamjuly2008_djvu.txt">Open Access Manifesto</a> penned by Aaron Swartz. And an unjust law is exactly what prosecutors used against Swartz, who was charged with <a href="https://www.eff.org/deeplinks/2013/01/aaron-swartz-fix-draconian-computer-crime-law">13 criminal counts</a> for downloading millions of articles from an academic journal database, on MITs network. An unjust system charged Aaron Swartz in a way that would have put him <a href="https://www.eff.org/deeplinks/2013/03/3-months-or-35-years-understanding-cfaa-sentencing-part-1-why-maximums-matter">in jail for years</a> (<a href="https://www.eff.org/deeplinks/2013/03/3-months-or-35-years-understanding-cfaa-sentencing-part-1-why-maximums-matter">the maximum sentence possible added up to 35 years</a>, yet we realize that would have been <a href="https://www.eff.org/deeplinks/2013/03/41-months-weev-understanding-how-sentencing-guidelines-work-cfaa-cases-0">an unlikely outcome</a>) in jail for violating the <a href="https://www.eff.org/deeplinks/2013/01/these-are-critical-fixes-computer-fraud-and-abuse-act">Computer Fraud and Abuse Act</a>.</p>
<p>The prosecution of Aaron also reflected profound problems with the criminal justice system far beyond the CFAA, including the incentives for prosecutors to pursue charges as aggressively as possible to try to make a defendant plead guilty.</p>
<p>Eleven of the thirteen counts against Aaron were based on the Computer Fraud and Abuse Act (CFAA), a law written in 1984 that makes it a crime to access a computer without “authorization” or in <i>excess</i> of authorized access. But these terms aren’t clear and the Department of Justice in the past has argued the CFAA makes it a federal crime to <a href="https://www.eff.org/cases/united-states-v-drew">violate </a><a href="#_msocom_3">[HF3]</a> a website’s terms of service, meaning that something like <a href="https://www.eff.org/deeplinks/2013/04/until-today-if-you-were-17-it-could-have-been-illegal-read-seventeencom-under-cfaa">lying about your age</a> or your height online could be counted as a federal crime. </p>
<h3>Framing Aaron’s Law as a Good Start</h3>
<p><i>The Internet’s Own Boy</i> points viewers to <a href="https://www.eff.org/deeplinks/2013/06/aarons-law-introduced-now-time-reform-cfaa">Aaron’s Law</a>, a bill proposed soon after Swartz’s passing that would partly fix the broken and outdated CFAA. <a href="https://act.eff.org/action/reform-computer-crime-law">We support Aaron’s Law</a>. If it passed, everyday computer users wouldn’t face criminal liability for violating a terms of service agreement and would protect users who access information in ways that protect their anonymity. But unfortunately, the bill <a href="https://www.eff.org/deeplinks/2013/01/effs-initial-improvements-aarons-law-computer-crime-reform">does not go far enough</a> and does not—currently—have wide spread support in Congress.</p>
<p>Aaron’s Law, as drafted wouldn’t have protected Aaron Swartz from the <a href="https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime">excessive penalties</a> mounted against him. The CFAA currently punishes low-level offenses as felonies that, in a saner world, would be classified as misdemeanors. Currently, the CFAA is structured so that the same behavior can often be double-counted as violations of multiple provisions of law, which prosecutors then combine to beef up the potential penalties to an absurd degree. We strongly believe that CFAA reform should eliminate this kind of double-counting.</p>
<h3>The Fight Continues</h3>
<p>Aaron sought to make the world a better place; he wanted to share access to knowledge and expose corruption. Our movement to defend digital rights is stronger because of him. And we can only imagine how Aaron would have contributed to the fight to protect our rights and expand our freedoms as more people come to depend on an open Internet.</p>
<p>We will <a href="https://act.eff.org/action/reform-computer-crime-law">continue to fight</a>. Aaron’s story is one worth telling. That’s why we encourage everyone who has seen this documentary to show it to a friend, host a screening at work or on campus, and encourage others to watch it. In a following post we will provide materials to host a viewing party of <i>The Internet’s Own Boy</i> and outline what we can all do to restore justice to computer crime laws, to improve access to knowledge, and defend free speech, and the future of our open Internet. We hope you’ll join us.</p>
<p></p><center><a href="https://www.eff.org/deeplinks/2014/09/host-screening-and-discussion-about-internets-own-boy"><strong>SEE EFF'S GUIDE TO ORGANIZE A FILM SCREENING OF <em>THE INTERNET'S OWN BOY</em></strong></a></center><center><strong><em></em></strong></center><center><strong><em></em></strong></center><center><strong><em></em></strong></center><center><strong><em></em></strong></center><center><a href="https://act.eff.org/action/reform-computer-crime-law"><img class="image-center" src="/files/action-1c-2_0.png" alt="" height="39" width="184" /></a></center>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Aaron%20Swartz%27s%20Work%2C%20Computer%20Crime%20Law%2C%20and%20%22The%20Internet%27s%20Own%20Boy%22&amp;url=https%3A//www.eff.org/deeplinks/2014/08/aaron-swarts-work-internets-own-boy&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Aaron%20Swartz%27s%20Work%2C%20Computer%20Crime%20Law%2C%20and%20%22The%20Internet%27s%20Own%20Boy%22&amp;u=https%3A//www.eff.org/deeplinks/2014/08/aaron-swarts-work-internets-own-boy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/08/aaron-swarts-work-internets-own-boy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Aaron%20Swartz%27s%20Work%2C%20Computer%20Crime%20Law%2C%20and%20%22The%20Internet%27s%20Own%20Boy%22&amp;url=https%3A//www.eff.org/deeplinks/2014/08/aaron-swarts-work-internets-own-boy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 28 Aug 2014 06:58:16 +0000April Glaser82004 at https://www.eff.orgDMCASOPA/PIPA: Internet Blacklist LegislationInnovationCoders' Rights ProjectOpen AccessComputer Fraud And Abuse Act ReformElectronic Frontier AllianceEFF's Defcon 22 T-Shirt Puzzle Explainedhttps://www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>This summer we proudly unveiled EFF's fifth limited edition member t-shirt to DEF CON 22 attendees at the annual hacker conference in Las Vegas. Secretive organizations <a href="https://www.eff.org/issues/tpp">scheming global domination</a> and <a href="https://www.eff.org/nsa-spying">watching everything you do</a> may not be very far fetched, but we've turned that concept on its head with a digital freedom society-themed motif created by EFF Senior Designer <a href="https://www.eff.org/about/staff/hugh-dandrade">Hugh D'Andrade</a>. Together we are growing our own conspiracy to defend privacy and free expression for all. Hidden within the rich mystic symbolism of the crossing keypair, ethernet cable crest, lockpicks, and anti-surveillance eye is a secret puzzle for you to decipher, the likes of which would make even <a href="https://en.wikipedia.org/wiki/Voynich_manuscript">Voynich</a> jealous! <em>Warning: spoilers are ahead, and you already know too much!</em></p>
<p></p><center><img src="https://www.eff.org/files/2014/08/13/defcon-shirt-snap-1.jpg" alt="" title="Shirt front under regular light and UV light." height="300" width="549" /></center>
<p>Displayed on the left is the original shirt as seen in plain daylight. But under the shine of a blacklight, the ciphertext is revealed:</p>
<blockquote><p>[Iikcggu] Gvdw ag etxlku | [Ptjhafvmkx] rqgrva(cgvs urlaiaixcm Asiixl) | [Gwhusu] akksdx bzqaymoukh(gsyi, Jnsrgo) | [Rmtm] mwllzg(ihrl.qv_e? Wkivav)</p></blockquote>
<p>What does it mean? A second text is highlighted with the blacklight:</p>
<blockquote><p>QUISQUE ALIQUID HABET QUOD OCCULTET</p></blockquote>
<p>Our super secure <a href="https://en.wikipedia.org/wiki/Key_derivation_function">Key Derivation Function</a> comes in the form of a dictionary. Translated from Latin into English, this phrase becomes:</p>
<blockquote><p>Everyone has something to hide</p></blockquote>
<p>And how do you decode the ciphertext? Using a cipher developed in the 16th century called the <a href="https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher">Vigenère cipher</a>:</p>
<blockquote><p>[English] Code is speech | [Javascript] assert(code instanceof Speech) | [Python] assert isinstance(code, Speech) | [Ruby] assert(code.is_a? Speech)</p></blockquote>
<p>The plaintext reminds us of an important ruling made in the historic case <a href="https://www.eff.org/cases/bernstein-v-us-dept-justice">Bernstein v. US Department of Justice</a>, which EFF litigated: source code is a form of speech constitutionally protected by the First Amendment. Special congratulations go to <a href="https://twitter.com/1o57">1o57</a> and the council of 9 for being the first to solve this year's puzzle!</p>
<p></p><center><img src="/files/2014/08/13/1057_council_9.jpeg" alt="" height="412" width="549" /><br /><br />
Photo Credit: junkmail. <a href="https://creativecommons.org/licenses/by/2.0/">CC Attribution 2.0</a></center>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%27s%20Defcon%2022%20T-Shirt%20Puzzle%20Explained&amp;url=https%3A//www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%27s%20Defcon%2022%20T-Shirt%20Puzzle%20Explained&amp;u=https%3A//www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%27s%20Defcon%2022%20T-Shirt%20Puzzle%20Explained&amp;url=https%3A//www.eff.org/deeplinks/2014/08/effs-defcon-22-t-shirt-puzzle-explained" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 15 Aug 2014 19:47:08 +0000Aaron Jue and Bill Budington81794 at https://www.eff.orgAnnouncementCoders' Rights ProjectComputer Fraud And Abuse Act ReformOpen Source Madnesshttps://www.eff.org/deeplinks/2014/07/open-source-madness
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The Yorba Foundation, a non-profit group that produces open source Linux desktop software, reported last week that it was <a href="http://yorba.org/docs/IRS-determination-letter-final.pdf">denied tax-exempt 501(c)(3) status by the IRS</a>. The group had waited nearly five years for a decision. The IRS stated that, because the software Yorba develops can be used commercially, the organization has a substantial non-exempt purpose and is disqualified from tax-exempt status. We think the IRS’ decision rests on a fundamental misunderstanding of open source software.</p>
<p>This decision comes against the backdrop of previous “be on the look out” (BOLO) orders for open source software organizations’ applications for 501(c)(3) status. BOLOs were at the heart of the <a href="http://www.motherjones.com/kevin-drum/2013/06/irs-also-targeted-groups-labeled-themselves-progressive">controversy</a> over increased scrutiny of progressive and Tea Party organizations. A Mother Jones reader <a href="http://www.motherjones.com/kevin-drum/2013/06/revealed-why-irs-targeting-open-source-software-groups">theorized</a> that the IRS’s concerns might stem from debates during the 1970s and 1980s about whether computer user groups should count as non-profits. Perhaps so, but that’s no excuse for a five-year delay.</p>
<p>As Bradley Kuhn from the Software Freedom Conservancy noted in a <a href="http://www.wired.com/2013/06/irs-open-sourc/">2013 Wired article</a>, some open source projects that primarily work on commercial products aren’t actually a good fit for 501(c)(3) status and “[the IRS] has trouble making the distinction.” In fact, in its June 23rd 2010 letter to Yorba, the IRS asked directly: “Please explain how the activities of this organization differ from a commercial software development company beside distributing the software for free.”</p>
<p>Open source software organizations applying for tax-exempt 501(c)(3) status have to show that they are organized and operated exclusively for charitable, scientific or educational purposes. Unfortunately, these narrow buckets don’t necessarily correspond to the important work that some free and open source software (FOSS) organizations do.</p>
<p>Many FOSS projects have direct educational impacts. <a href="http://www.raspberrypi.org/about/">The Raspberry Pi Foundation</a>, out of the United Kingdom, was formed directly to address the declining number of students interested in computer science. The GNOME Foundation, which is a 501(c)(3) organization, funds an <a href="https://wiki.gnome.org/OutreachProgramForWomen">outreach program for women</a> interested in free software. But organizations like Yorba directly fund software production as opposed to educational programming, and that makes them a harder fit for 501(c)(3) status.</p>
<p>Just as a project might reject code that doesn’t conform to its standards, even if the code is well written, the IRS is bound by a narrow set of restrictions that it has previous interpreted. Journalism start-ups have faced <a href="http://www.dmlp.org/irs">similar problems</a> – while clearly their work benefits the public, it may not fully be charitable or educational, and thus may not be eligible for 501(c)(3) status.</p>
<p>Still, the IRS’s denial demonstrates a lack of understanding of the open source movement:</p>
<blockquote><p><i>[The Yorba Foundation has] a substantial nonexempt purpose because [it] develop[s] software published under open source compatible licenses that authorize use by any person for any purpose, including nonexempt purposes such as commercial, recreational, or personal purposes, including campaign intervention and lobbying.</i></p></blockquote>
<p>As Jim Nelson said in <a href="http://blogs.gnome.org/jnelson/2014/06/30/the-new-501c3-and-the-future-of-free-software-in-the-united-states/">his post about the denial</a>, these objections clash with three of the <a href="https://www.gnu.org/philosophy/free-sw.html">Four Software Freedoms</a>: the freedom to run the program as you wish, the freedom to redistribute copies, and the freedom to distribute copies of your modified versions. That’s the benefit of permissive licensing. Although the IRS’s concerns about laundering money through non-profits to avoid taxes are reasonable, those should not stand in the way of legitimate open source software organizations.</p>
<p>Additionally, five years is a ridiculous length of time to sit on an application. The Yorba Foundation heard nothing from the IRS between October 2011 and July 2014. Although efforts are being made to <a href="http://www.irs.gov/uac/Newsroom/New-1023-EZ-Form-Makes-Applying-for-501c3Tax-Exempt-Status-Easier-Most-Charities-Qualify">streamline this process</a> via providing a new, easier form, the IRS still has 60,000 pending applications. 501(c)(3) status is often vital for organizations that are looking to use grant money or have larger donors. Although individual small donors may not be worried about the tax deduction, foundations and large donors often won’t work with non-501(c)(3)s. We hope that the new simplified form will help cut down the number of organizations stuck in limbo.</p>
<p>It may be that not every open source project is a good fit for 501(c)(3) status. However, the IRS’ position that the production of software is a “commercial activity” and that otherwise exempt organizations may be disqualified based on potential uses of their software by third parties is too inflexible and risks causing worthy non-profits to lose out on 501(c)(3) status.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Open%20Source%20Madness&amp;url=https%3A//www.eff.org/deeplinks/2014/07/open-source-madness&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Open%20Source%20Madness&amp;u=https%3A//www.eff.org/deeplinks/2014/07/open-source-madness" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/07/open-source-madness" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Open%20Source%20Madness&amp;url=https%3A//www.eff.org/deeplinks/2014/07/open-source-madness" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 17 Jul 2014 00:08:45 +0000Kendra Albert81446 at https://www.eff.orgPolicy AnalysisCoders' Rights ProjectWhat Were They Thinking? Microsoft Seizes, Returns Majority of No-IP.com’s Businesshttps://www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Last week, <a href="http://blogs.microsoft.com/blog/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption/">Microsoft completed a legal attack</a> on two large and quite nasty botnets by obtaining a <a href="http://www.noticeoflawsuit.com/docs/Second%20Amended%20Order%20Granting%20Ex%20Parte%20Application%20for%20a%20TRO.pdf">court order</a> transferring 23 domain names to Microsoft’s control. The botnets went down and the Internet was a better place for it. But in doing so, <a href="http://www.noip.com/blog/2014/06/30/ips-formal-statement-microsoft-takedown/">Microsoft also took out the world’s largest dynamic DNS provider</a> using a dangerous legal theory and without any prior notice to Vitalwerks Internet Solutions—the company that runs No-IP.com—or to the millions of innocent users who rely on No-IP.com every day.</p>
<p>Just two days later, <a href="http://arstechnica.com/security/2014/07/order-restored-to-universe-as-microsoft-surrenders-confiscated-no-ip-domains/">Microsoft reversed course</a> and began returning control of the seized domains to Vitalwerks. And yesterday, <a href="http://www.noip.com/blog/2014/07/09/vitalwerks-microsoft-reach-settlement/">Microsoft and Vitalwerks announced a settlement agreement</a>, with Microsoft admitting that “Vitalwerks was not knowingly involved with the subdomains used to support malware.”</p>
<p>We commend Microsoft’s prompt about face. A company with less integrity would have stuck to its guns, and we are pleased that Microsoft instead worked quickly to rectify this situation. That said, we are disappointed that Microsoft crafted its lawsuit in a way that created these problems in the first place.</p>
<h3>A Flawed Plan</h3>
<p>First, some background. No-IP.com provides what’s known as dynamic DNS service at both free and paid levels. With dynamic DNS, users who lack a static IP address (mostly mobile users and home and small business DSL or cable subscribers) can host servers at a constant URL, for instance <u>example.no-ip.org</u>, despite the fact that the IP address of that server, and hence the route needed to find it on the Internet changes frequently. I actually use No-IP.com on my parents’ computer in Los Angeles so that I can provide remote tech support from San Francisco without having them locate and read me their IP address over the phone every time they need help. Prior to Microsoft’s action, <a href="http://www.noip.com/about">No-IP.com boasted more than 18,000,000 users</a> of its free service alone.</p>
<p>Microsoft claims to have had no problem with the vast majority of No-IP.com’s users, and we have no reason to doubt Microsoft's sincerity. Instead, Microsoft was concerned by the use of No-IP.com’s service by a pair of botnet operators controlling a total of just over <a href="http://www.noticeoflawsuit.com/docs/Brief%20in%20Support%20of%20Ex%20Parte%20Application%20for%20a%20TRO.pdf#page=9">18,000 nodes</a> at as many subdomains. The botnets used dynamic DNS for essentially the same reasons that I do; it allowed the operators to keep track of the individual nodes of the botnet without having to maintain a current list of their IP addresses or a static command and control server. Microsoft’s plan was to use its own nameservers to send requests to resolve the botnet-associated subdomains to a blackhole, while continuing to resolve requests for the legitimate subdomains to their appropriate IP addresses. So they went to court, in secret and without telling No-IP.com, and convinced a Federal District Judge in Nevada to order the domain name registries to list Microsoft’s nameservers as authoritative for 23 of No-IP.com’s most popular domains.</p>
<p>But Microsoft’s plan failed catastrophically. The transfer resulted in <a href="http://www.noip.com/blog/2014/07/10/microsoft-takedown-details-updates/?utm_source=email&amp;utm_medium=notice&amp;utm_campaign=microsoft-takedown-update">more 5,000,000 subdomains served by No-IP.com simply failing to resolve</a>. The details of the technical failure are obscure from outside Microsoft, but those numbers are worth repeating. In order to take down an 18,000-node botnet, Microsoft commenced a legal action that resulted in the termination of DNS service to nearly 5,000,000 subdomains with which Microsoft had no complaint. In other words, the seizure order that Microsoft asked for, and a federal judge approved, was 99.6% overbroad.</p>
<p>Drawing an analogy to the real world, imagine a busy shopping mall filled with legitimate businesses and a single mafia front. Microsoft, feeling injured by the mafia front’s usage of its trademark and attacks on its users, went to federal court <i>in secret</i> and obtained an order transferring control of the mall to Microsoft's own mall cops, who vowed to keep out only the mafia. But Microsoft’s mall cops were apparently overwhelmed by the number of visitors and simply locked the mall’s doors, keeping out everyone, including the 99.6% of visitors who had legitimate shopping to do.</p>
<p>Microsoft’s plan could have worked. Apparently Microsoft simply lacked the infrastructure capacity to put it into place. How did they make such a gross miscalculation? By telling themselves, <a href="http://www.noticeoflawsuit.com/docs/Anselmi%20Declaration%20in%20support%20of%20TRO.pdf#page=3">and the court</a>, that their “goal is to cut-off traffic to [the botnet] while allowing traffic through to any other sub-domains, if there are any such sub-domains at all.” Microsoft's lawsuit was intended to blackhole only the <a href="http://www.noticeoflawsuit.com/docs/Brief%20in%20Support%20of%20Ex%20Parte%20Application%20for%20a%20TRO.pdf#page=9">.1%</a> of No-IP.com’s subdomains that were involved with the botnets it sought to disrupt, and it glossed over the effect on the millions of other domains, even suggesting it was possible that they were all bad actors. And because No-IP.com was kept in the dark, the judge heard only Microsoft's version.</p>
<h3>A Flawed Process </h3>
<p>Microsoft’s technical failure, as well as its suggestion to the court that there might not have been any innocent users of No-IP.com, both depended on the <i>ex parte</i> (legalese for without the participation of the other side) nature of the proceedings. Had No-IP.com been aware of the lawsuit, and the pending order to seize what amounted to a large fraction of its business, it would have been able to correct both of Microsoft’s failures and spare the owners of the nearly 5,000,000 innocent subdomains (including yours truly) from having their DNS service cut without notice.</p>
<p>Microsoft <a href="http://www.noticeoflawsuit.com/docs/Brief%20in%20Support%20of%20Ex%20Parte%20Application%20for%20a%20TRO.pdf#page=27">argued to the court</a> that an <i>ex parte </i>hearing was required because if notice to the defendants was given, the botnets would pack up shop, switch to a different dynamic DNS provider, and disappear. Perhaps that was a good reason to keep notice from the <i>botnet defendants</i>, but it’s no reason to keep knowledge of the lawsuit from No-IP.com. Microsoft appears to be suggesting to the judge that No-IP.com would surely have tipped off the botnet operators, or at least allowed the botnet operators to somehow escape. That is utter nonsense.</p>
<p>In <i>ex parte </i>proceedings, lawyers owe a <a href="http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_3_3_candor_toward_the_tribunal.html">heightened duty of candor</a> to the court, since there’s no adversary to challenge their assertions. We would have hoped that would have resulted in a more thorough pre-lawsuit investigation. Now, just over a week after convincing a judge that it was vital to keep notice from No-IP.com, <a href="http://blogs.technet.com/b/microsoft_blog/archive/2014/06/30/microsoft-takes-on-global-cybercrime-epidemic-in-tenth-malware-disruption.aspx">Microsoft has admitted</a> that it is confident that No-IP.com was not acting in concert or even involved with the botnet operators. Thus withholding notice from No-IP.com was never warranted.</p>
<h3>A Flawed Legal Theory</h3>
<p>Not only did Microsoft bungle the facts and the tech underlying its seizure of No-IP.com’s core business, its case against the provider was based on a downright dangerous legal theory. Microsoft argued that, as a provider of free network services, No-IP.com was negligent. Indeed, Microsoft claims that No-IP.com had a <a href="http://www.noticeoflawsuit.com/docs/Brief%20in%20Support%20of%20Ex%20Parte%20Application%20for%20a%20TRO.pdf#page=20">legal obligation</a> to:</p>
<ul><li>Require all users to provide their real name, address, and telephone number.</li>
<li>Put that information in a <i>public </i>database.</li>
<li>Use a “web reputation” service to identify bad actors.</li>
<li>And <i>encrypt</i> its customers’ usernames and passwords.</li>
</ul><p>Every one of those points is rubbish, and none is a legal duty of service providers. First, anonymity online is <a href="https://www.eff.org/issues/anonymity">unambiguously protected by the First Amendment</a> and is a cornerstone of our democracy. Service providers are free to allow their users the option of exercising their constitutional rights. Second, publishing a public database of users is by no means a best practice, and in fact would be one of the worst. Third, several companies offer “web reputation” services, <a href="http://www.microsoft.com/security/portal/mrs/">including Microsoft</a>. While a service provider is certainly free to use one of those services if it so chooses, the claim that it is legally required to do so is spurious. To the contrary, under <a href="https://www.eff.org/issues/cda230">federal law</a>, service providers are not held responsible for the acts of their users, and not made responsible for failing to adequately block bad content. And finally, did Microsoft actually argue that it is a security best practice, and in fact a legal duty, for service providers to <i>encrypt </i>passwords? Because storing users’ passwords in a form that could be decrypted to plaintext by anyone, including the provider, is absolutely terrible security hygiene. If Microsoft meant that the best practice is to store the passwords in a table of cryptographic hashes, it should have said so.</p>
<p>In sum, Microsoft’s theory of why No-IP.com was negligent would condemn essentially every provider of free network services on the Internet, as well as many paid providers. We strongly disagree that following any of the four practices that Microsoft claimed No-IP.com failed to follow would be a good idea, much less best practice or a legal obligation.<a class="see-footnote" id="footnoteref1_jyeg53f" title="We have an additional technical legal quibble with the way Microsoft’s lawsuit against No-IP.com proceeded. The ex parte restraining order that Microsoft obtained, compelling the domain name registries to transfer No-IP.com domains to Microsoft, was authorized by Federal Rule of Civil Procedure 65. That rule however specifically provides that only the parties, their agents, and people in “active concert” with the parties can be bound by an ex parte restraining order. Microsoft’s order purported to bind the third-party domain name registries (companies that are neither agents of, nor in active concert with, No-IP.com) despite Rule 65’s prohibition." href="#footnote1_jyeg53f">1</a></p>
<h3>Going Forward</h3>
<p>We're glad that the disruption to No-IP.com's users lasted only a few days, and we have these suggestions for any company that wants to use the courts to eliminate threats to its users:</p>
<ul><li>Give notice to innocent intermediaries, <i>before </i>seizing their business.</li>
<li>Don't gloss over innocent uses and users of a service, especially when those uses may make up 99.9% of the service.</li>
<li>Abandon Microsoft's half-baked negligence theory that, if accepted, would mean the end to free network services.</li>
<li>Be prepared to actually meet the infrastructure demands that any proposed legal solution presents, so as not to cause more disruption than necessary.</li>
</ul><p>At the end of the day, we commend Microsoft for dropping its suit against No-IP.com so quickly, and we’re left hoping that the next time the company decides to take it upon itself to clean up the Internet, it will reconsider the tactics it employs to do so.</p>
<div></div>
<ul class="footnotes"><li class="footnote" id="footnote1_jyeg53f"><a class="footnote-label" href="#footnoteref1_jyeg53f">1.</a> We have an additional technical legal quibble with the way Microsoft’s lawsuit against No-IP.com proceeded. The <em>ex parte</em> restraining order that Microsoft obtained, compelling the domain name registries to transfer No-IP.com domains to Microsoft, was authorized by <a href="http://www.law.cornell.edu/rules/frcp/rule_65">Federal Rule of Civil Procedure 65</a>. That rule however specifically provides that only the parties, their agents, and people in “active concert” with the parties can be bound by an <em>ex parte</em> restraining order. Microsoft’s order purported to bind the third-party domain name registries (companies that are neither agents of, nor in active concert with, No-IP.com) despite Rule 65’s prohibition.</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=What%20Were%20They%20Thinking%3F%20Microsoft%20Seizes%2C%20Returns%20Majority%20of%20No-IP.com%E2%80%99s%20Business&amp;url=https%3A//www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=What%20Were%20They%20Thinking%3F%20Microsoft%20Seizes%2C%20Returns%20Majority%20of%20No-IP.com%E2%80%99s%20Business&amp;u=https%3A//www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=What%20Were%20They%20Thinking%3F%20Microsoft%20Seizes%2C%20Returns%20Majority%20of%20No-IP.com%E2%80%99s%20Business&amp;url=https%3A//www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 10 Jul 2014 23:43:22 +0000Nate Cardozo81315 at https://www.eff.orgFree SpeechCoders' Rights ProjectSecurityFacebook's Ongoing Legal Saga with Power Ventures Is Dangerous To Innovators and Consumershttps://www.eff.org/deeplinks/2014/03/facebooks-ongoing-legal-saga-power-ventures-dangerous-innovators-and-consumers
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>As Facebook turned ten years old last month, a <a href="https://www.eff.org/cases/facebook-v-power-ventures">legal case</a> it brought against Power Ventures almost six years ago demonstrates the continued hurdles facing developers who seek to empower users to interact with closed services like Facebook in new and creative ways. In a new <a href="https://www.eff.org/document/eff-ninth-circuit-amicus-brief">amicus brief</a>, we caution the Ninth Circuit Court of Appeals not to extend crippling civil and criminal liability on services that provide competing or follow-on innovation.</p>
<p>Power Ventures made a web-based tool that allowed users to log into all of their social networking accounts in one place and aggregate messages, friend lists, and other data so they could see all their information in one place. To promote its service, it offered a $100 reward to users who could invite, through the Facebook Events system, a certain number of friends to sign up for Power's service. Because of the way Facebook designed its Events system, the messages appeared to come from Facebook directly, although the messages clearly identified the individual user who sent the invitation, as well as Power's service. Facebook eventually blocked one of several IP addresses Power used to connect to Facebook, and Power eventually stopped allowing Facebook users to use Power's service. </p>
<p>In 2008, Facebook sued Power, claiming it had violated the <a href="http://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> (CFAA) and <a href="http://www.leginfo.ca.gov/cgi-bin/displaycode?section=pen&amp;group=00001-01000&amp;file=484-502.9">California Penal Code § 502</a> when it allowed users to access Facebook data after it blocked a specific IP address Power was using to connect to Facebook data. Facebook also claimed that Power violated the <a href="http://www.law.cornell.edu/uscode/text/15/chapter-103">CAN-SPAM Act</a>, the federal law that prohibits sending commercial emails with materially misleading information, when Power encouraged users to invite their friends to try Power. We've <a href="https://www.eff.org/press/archives/2010/05/03">filed</a> a <a href="https://www.eff.org/node/57427">number</a> of <a href="https://www.eff.org/node/57969">amicus</a> <a href="https://www.eff.org/document/eff-amicus-brief-0">briefs</a> in this case, arguing that Facebook's theories of liability were wrong and dangerous, and that users have the right to choose how they access their data.</p>
<p>While the district court initially <a href="https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing">agreed</a> with us that Facebook could not prove a CFAA violation by merely showing that Power violated Facebook's terms of service, it nonetheless <a href="https://www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws">ruled</a> in 2012 that Power was liable to Facebook under the CFAA and CAN-SPAM and, in 2013, ordered Power to pay more than $3 million in damages to Facebook, a significant amount that was remarkably less than the staggering $18 million Facebook initially sought. Power is now bankrupt and the case is before the Ninth Circuit, where we again filed an amicus brief in support of Power.</p>
<p>On the CFAA claims, our brief explains working around an IP address block is a common non-criminal act in most instances. The CFAA is intended to go after hackers who circumvent technical restrictions in order to access data they are not otherwise entitled to, not users who utilize a third-party service to access their own data. Plus circumventing a technical block merely enforcing Facebook's terms of service is not a violation of the CFAA. The only way to determine whether Power was violating the CFAA was to look at Power's motivation for working around Facebook's IP block. Here, the facts were in dispute: Facebook claimed Power was trying to circumvent the IP block, but Power claimed its business practice was to use multiple IP addresses and when one was blocked, it stopped trying to access Facebook. But the court never resolved this factual dispute, instead finding that using technology that merely has the <em>capability</em> to circumvent a technical restriction—regardless of what the technology actually did circumvent or regardless of the user's motivation for trying to circumvent—is enough to violate the CFAA. This is a dangerous idea, criminalizing innovations like Power's service, and turning Facebook users that used Power to access their own data into criminals.</p>
<p>Facebook's CAN-SPAM claims are just as dangerous. Congress passed CAN-SPAM to go after big time spammers who hide their identities in order to bombard users with malware and phishing schemes. Captive email systems like Facebook's, where a user has no control over the header information of the message, were not contemplated in CAN-SPAM, which was signed into law on December 16, 2003—two months before Facebook was even launched. Plus the messages weren't misleading since a Facebook user that got an invitation knew all three parties to the communication: the friend who sent the invite, Facebook who facilitated the message, and Power who's service was being promoted. But by finding Power liable, the lower court puts all Facebook users who use Events at unreasonable legal risk. For example, if a Facebook user is in a band and, using Facebook Events, invites friends to a local show with a small cover charge, that user has arguably sent a "misleading" commercial message under CAN-SPAM because, even though the friend sent the message, the header information will show the message came from Facebook. That user could be guilty of a <a href="http://www.law.cornell.edu/uscode/text/18/1037">crime</a> and liable for a <a href="http://www.law.cornell.edu/uscode/text/15/7706">significant financial penalty</a> for every message sent. This is an absurd interpretation of the law that criminalizes routine Internet behavior.</p>
<p>Facebook's claims here are dangerous, threatening to put the power of law—including serious criminal penalties—behind Facebook and other <a href="https://www.eff.org/deeplinks/2013/08/court-rules-accessing-public-website-isnt-crime-hiding-your-ip-address-could-be">companies</a>' anti-competitive decisions to thwart consumer choice and innovation that doesn't meet their approval. The information put into a social networking site belongs to the user, who should be able to access, export, and aggregate the data as they please. Hopefully the Ninth Circuit will understand and appreciate this, reversing a lower court decision that equates consumer choice with legal risk.</p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/facebook-v-power-ventures">Facebook v. Power Ventures</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Facebook%27s%20Ongoing%20Legal%20Saga%20with%20Power%20Ventures%20Is%20Dangerous%20To%20Innovators%20and%20Consumers&amp;url=https%3A//www.eff.org/deeplinks/2014/03/facebooks-ongoing-legal-saga-power-ventures-dangerous-innovators-and-consumers&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Facebook%27s%20Ongoing%20Legal%20Saga%20with%20Power%20Ventures%20Is%20Dangerous%20To%20Innovators%20and%20Consumers&amp;u=https%3A//www.eff.org/deeplinks/2014/03/facebooks-ongoing-legal-saga-power-ventures-dangerous-innovators-and-consumers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/03/facebooks-ongoing-legal-saga-power-ventures-dangerous-innovators-and-consumers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Facebook%27s%20Ongoing%20Legal%20Saga%20with%20Power%20Ventures%20Is%20Dangerous%20To%20Innovators%20and%20Consumers&amp;url=https%3A//www.eff.org/deeplinks/2014/03/facebooks-ongoing-legal-saga-power-ventures-dangerous-innovators-and-consumers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 11 Mar 2014 21:54:08 +0000Hanni Fakhoury79320 at https://www.eff.orgLegal AnalysisTerms Of (Ab)UseCoders' Rights ProjectComputer Fraud And Abuse Act ReformTrustyCon Ticket Auction Fundraiserhttps://www.eff.org/deeplinks/2014/02/trustycon-ticket-auction-fundraiser
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="http://www.ebay.com/usr/electronicfrontierfoundation"><img src="/files/2014/02/13/trustycon-auction.jpg" alt="" class="align-right" height="187" hspace="7px" width="187" /></a>EFF is offering four pairs of tickets to the sold-out Trustworthy Technology Conference on February 27 in San Francisco, CA. For the next week, we will <a href="http://www.ebay.com/usr/electronicfrontierfoundation">host auctions for full TrustyCon admission</a>. The winners of the auctions will each receive a year-long EFF Rare Earths Level Membership (normally a $500 contribution level) featuring the renowned <a href="https://www.eff.org/files/NSA-Closeup-FB-SM.jpg">NSA Spying hooded sweatshirt</a>. The best part is that every dollar from these auctions will go directly toward funding EFF's digital freedom initiatives, so please <a href="http://www.ebay.com/usr/electronicfrontierfoundation">bid today</a>.</p>
<p>In the spirit of strengthening and enriching the computer security community, EFF has chosen to give a pair of tickets to <a href="http://hackbrightacademy.com/">Hackbright Academy</a>. Hackbright's Bay Area engineering fellowship is designed to encourage women to hone their programming skills and empower themselves in the tech industry. We look forward to including more voices in the continuing discussion of technology, law, and ethics at TrustyCon.</p>
<p>EFF has long-defended the computer security community's efforts to explore uncharted territory and share the research that moves innovation and user freedom forward. Please support coders' rights by <a href="http://www.ebay.com/usr/electronicfrontierfoundation">placing a bid</a> before the auction closes on Friday, February 21!</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=TrustyCon%20Ticket%20Auction%20Fundraiser&amp;url=https%3A//www.eff.org/deeplinks/2014/02/trustycon-ticket-auction-fundraiser&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=TrustyCon%20Ticket%20Auction%20Fundraiser&amp;u=https%3A//www.eff.org/deeplinks/2014/02/trustycon-ticket-auction-fundraiser" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/02/trustycon-ticket-auction-fundraiser" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=TrustyCon%20Ticket%20Auction%20Fundraiser&amp;url=https%3A//www.eff.org/deeplinks/2014/02/trustycon-ticket-auction-fundraiser" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 14 Feb 2014 19:39:06 +0000Aaron Jue and Richard Esguerra78922 at https://www.eff.orgAnnouncementCoders' Rights ProjectEFF Challenges New Jersey Subpoena Issued to MIT Student Bitcoin Developershttps://www.eff.org/deeplinks/2014/02/eff-challenges-new-jersey-subpoena-issued-mit-student-bitcoin-developers
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>As the popularity of Bitcoins has increased, government officials are <a href="https://www.eff.org/deeplinks/2013/10/silk-road-case-dont-blame-technology">concerned</a> about criminal activity associated with the virtual currency. But a recent <a href="https://www.eff.org/document/subpoena-jeremy-rubin-dba-tidbit">subpoena</a> issued by the New Jersey Division of Consumer Affairs to 19-year-old Bitcoin developer and MIT student Jeremy Rubin goes too far, and we're fighting back by <a href="https://www.eff.org/document/rubin-v-new-jersey-complaint">moving</a> to quash it.</p>
<p>Rubin and some other MIT classmates developed a computer code called Tidbit for the <a href="http://nodeknockout.com/">Node Knockout Hackathon</a> in November 2013. Tidbit uses a client's computer to mine for Bitcoins as an alternative to website advertising: in exchange for removing ads from a website, a user would give some CPU cycles to mine for Bitcoins instead. Tidbit was clearly presented as a proof of concept, with the developers making clear the code was configured not to mine for Bitcoins. That's because in addition to refining the code, they needed to work out the legal details, like drafting a terms of service, and the ethical details, like making sure there was a way for users to opt-in to the service so their computers weren't being used to mine Bitcoins without their knowledge. Tidbit won the Node Knockout award for innovation and the students thought they were on their way to continuing with their project.</p>
<p>But in December, the New Jersey Division of Consumer Affairs issued a subpoena to Rubin, requesting he turn over Tidbit's past and current source code, as well as other documents and agreements with any third parties. It also issued 27 <a href="https://www.eff.org/document/interrogatories-jeremy-rubin-dba-tidbit">interrogatories</a> -- formal written questions -- requesting additional documents and ordering Rubin to turn over information like the names and identities of all Bitcoin wallet addresses associated with Tidbit, a list of all websites running Tidbit's code and the name of anybody whose computer mined for Bitcoins through the use of Tidbit, although Tidbit's code was not configured to mine for Bitcoins.</p>
<p>Tidbit asked us for help and we agreed to represent Rubin and Tidbit. We <a href="https://www.eff.org/document/letter-eff-nj-attorney-general">explained</a> to the New Jersey Attorney General that Tidbit's code as configured was incapable of mining for Bitcoins, meaning it could not provide much of the information requested in the subpoena. Plus, New Jersey had no jurisdiction to issue a subpoena to Rubin, who lived in Massachusetts, or Tidbit, which had no connections to New Jersey at all; the server housing the code is not located in New Jersey and Tidbit didn't do anything to target New Jersey users specifically. When the state still <a href="https://www.eff.org/document/nj-attorney-general-response-eff-letter">insisted</a> Tidbit comply with the subpoena, we moved to quash it in New Jersey state court with the help of attorney <a href="http://www.capelegal.com:81/Bio/FrankCorrado.html">Frank Corrado</a>.</p>
<p>We've <a href="https://www.eff.org/document/rubin-v-new-jersey-brief-support-motion-quash">raised</a> three arguments why the subpoena should be quashed. First, New Jersey's attempt to use state law to regulate Internet activity occurring outside of its borders violates the Dormant Commerce Clause. When it comes to software freely available and accessible anywhere on the Internet, states have to be very careful to only regulate conduct that occurs within its geographical borders. New Jersey is doing more than just investigating local websites or code stored in the state. Instead, its investigation suggests an attempt to target out-of-state conduct, a power the Constitution specifically reserves for Congress.</p>
<p>Second, since neither Tidbit or Rubin have sufficient contacts with New Jersey, the state cannot exercise personal jurisdiction over either. Rubin is not a New Jersey resident and Tidbit's source code is not stored in the state. While New Jersey can certainly exercise personal jurisdiction over local websites or individuals in New Jersey with sufficient contacts to the state, it cannot do that here with Rubin or Tidbit.</p>
<p>Finally, we explain that if the subpoena is allowed to stand, Rubin should be granted immunity from prosecution for any code or documents he is required to turn over and for any answers to interrogatories he must give. Both the <a href="http://www.law.cornell.edu/constitution/fifth_amendment">Fifth Amendment</a> and New Jersey state law prohibit the government from compelling someone to testify against themselves. The state has already made clear it believes Rubin and Tidbit are in violation of New Jersey's Consumer Fraud Act. The state recently used consumer protection laws to secure a $1 million <a href="http://nj.gov/oag/newsreleases13/pr20131119a.html">settlement</a> from a gambling website that turned its users' computers into a botnet to mine for Bitcoins without the users' knowledge. It appears the state suspects Tidbit of something similar here, despite the fact Tidbit's code was only a proof of concept that could not mine for Bitcoins, and despite the fact Tidbit was clearly not planning to develop code that mined without a user's knowledge and consent.</p>
<p>Some of the interrogatories also suggest that New Jersey believes Rubin and Tidbit are in violation of criminal hacking laws. One interrogatory asks Rubin to provide a list of all instances where Tidbit and websites using the code "accessed consumer computers without express written authorization or accessed consumer computers beyond what was authorized." That language comes from New Jersey's <a href="http://lis.njleg.state.nj.us/cgi-bin/om_isapi.dll?clientID=47144118&amp;Depth=2&amp;depth=2&amp;expandheadings=on&amp;headingswithhits=on&amp;hitsperheading=on&amp;infobase=statutes.nfo&amp;record={17D6}&amp;softpage=Doc_Frame_PG42">computer fraud act</a>, which, in turn, is modeled after the federal <a href="http://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a>. Since the subpoena is clearly demanding Rubin incriminate himself by opening himself to both civil and criminal liability, the privilege against self incrimination applies and he should be given immunity if ordered to comply with the subpoena.</p>
<p>We've <a href="https://www.eff.org/cases/mbta-v-anderson">seen</a> <a href="https://www.eff.org/issues/cfaa">firsthand</a> the power imbalance when the government zealously pursues young innovators at MIT with harsh laws. New Jersey absolutely has a right to investigate fraudulent consumer practices within the state, but burdening out-of-state college students with broad subpoenas—and suggesting Tidbit is liable for activity beyond its control—isn't the way to do that. </p>
<p>The court should set a hearing sometime at the end of February where we're hopeful the subpoena will be quashed. </p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/rubin-v-new-jersey-tidbit">Rubin v. New Jersey (Tidbit)</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20Challenges%20New%20Jersey%20Subpoena%20Issued%20to%20MIT%20Student%20Bitcoin%20Developers&amp;url=https%3A//www.eff.org/deeplinks/2014/02/eff-challenges-new-jersey-subpoena-issued-mit-student-bitcoin-developers&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20Challenges%20New%20Jersey%20Subpoena%20Issued%20to%20MIT%20Student%20Bitcoin%20Developers&amp;u=https%3A//www.eff.org/deeplinks/2014/02/eff-challenges-new-jersey-subpoena-issued-mit-student-bitcoin-developers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2014/02/eff-challenges-new-jersey-subpoena-issued-mit-student-bitcoin-developers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20Challenges%20New%20Jersey%20Subpoena%20Issued%20to%20MIT%20Student%20Bitcoin%20Developers&amp;url=https%3A//www.eff.org/deeplinks/2014/02/eff-challenges-new-jersey-subpoena-issued-mit-student-bitcoin-developers" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 05 Feb 2014 19:55:51 +0000Hanni Fakhoury78698 at https://www.eff.orgLegal AnalysisCoders' Rights ProjectComputer Fraud And Abuse Act ReformWhat the Google Street View Decision Means for Researchers (and Cops)https://www.eff.org/deeplinks/2013/09/what-google-street-view-decision-means-researchers-and-cops
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Is a Wi-Fi signal the equivalent of an FM radio station, blasting classic rock ballads through your car speakers?</p>
<p>Not to the Ninth Circuit Court of Appeals, which issued its long awaited decision in <em><a href="http://cdn.ca9.uscourts.gov/datastore/general/2013/09/11/11-17483_opinion.pdf">Joffe v. Google</a></em> this week, the case where Google was sued for allegedly violating the Wiretap Act when its Street View cars sucked up data from wireless routers as it passed by. </p>
<p><strong>The Background</strong></p>
<p>Google's Street View feature allows users to see photographs of specific addresses on a Google map. To generate these pictures, Google deployed a fleet of cars with cameras mounted on top of their roofs to drive across the world and take pictures of everything it could. From 2007 to 2010 Google also equipped these cars with antennas and software that were capable of scanning wireless routers nearby in order to capture information like the network's name, a router's MAC addresses and whether a Wi-Fi network was encrypted or not. </p>
<p>Google did this to enhance the accuracy and precision of its location based services. But it also captured "payload data," or the actual data transmitted through the Wi-Fi networks, including emails, usernames, passwords and more. After Google was criticized for the collection it <a href="http://news.bbc.co.uk/2/hi/technology/8684110.stm">apologized</a> for the program in 2010, grounded the cars and has been <a href="http://www.theguardian.com/technology/2013/jun/21/google-street-view-payload-data">ordered</a> to delete the data in some countries.</p>
<p><strong>The Lawsuit and the Law</strong></p>
<p>Numerous class action lawsuits were filed against Google in 2010, claiming the company had violated federal and state wiretap laws by collecting this data. Although the <a href="http://www.law.cornell.edu/uscode/text/18/part-I/chapter-119">Wiretap Act</a> generally prohibits the interception of electronic and wire communications, Google moved to dismiss the case, arguing it didn't violate the law because its collection of the data was permitted under an exception to the Wiretap Act. Under <a href="http://www.law.cornell.edu/uscode/text/18/2511">18 U.S.C. § 2511(2)(g)(i)</a>, the interception of an "electronic communication" that "is readily accessible to the general public" is permitted.</p>
<p>This is really two related exceptions. The first covers electronic communications that are "readily accessible to the general public." For example, a message posted on a public message board. The second exception comes from the definition of "readily accessible to the general public" in <a href="http://www.law.cornell.edu/uscode/text/18/2510">18 U.S.C. § 2510(16)(a)</a>, which includes an unencrypted "radio communication." In essence, an unencrypted radio communication is always considered to be "readily accessible to the general public." So you can tune the radio in your car to any station without being guilty of wiretapping.</p>
<p>Google ultimately argued that its collection of the unencrypted Wi-Fi traffic was legal under the Wiretap Act for two reasons; first because unencrypted Wi-Fi signals are a "radio communication" which by definition is "readily accessible to the general public." And second, even if it wasn't a "radio communication," it was an electronic communication that in practice was "readily accessible to the general public."</p>
<p>Unfortunately, the Wiretap Act doesn't more specifically define what "radio communication" means and so the trial court had to resolve whether Wi-Fi signals are in fact what Congress meant by "radio communications" or not.</p>
<p>The lower court, after all the cases were consolidated, ultimately denied Google's motion, finding that unencrypted Wi-Fi signals weren't "radio communications," but rather electronic communications. It then rejected Google's fallback argument, finding that unencrypted Wi-Fi signals aren't "readily accessible to the general public."</p>
<p>The Ninth Circuit agreed with the trial court. On the "radio communication" issue, the appellate court ruled that Congress meant a "radio communication" to mean a "predominantly auditory broadcast" like an AM/FM or CB radio broadcast. Because data sent over a Wi-Fi signal isn't auditory, the Court held that it was not a "radio communication" under the Wiretap Act, regardless of whether a wireless access point used radio frequencies to communicate.</p>
<p>Having found that the "radio communication" exception didn't apply, it also rejected Google's second argument that unencrypted Wi-Fi signals are "readily accessible to the general public." The Court noted that unlike, for example, an FM radio station which could broadcast for miles, Wi-Fi signals are "geographically limited and fail to travel far beyond the walls of the home or office where the access point is located." In addition, the Court reasoned Wi-Fi signals aren't "accessible" because capturing them "requires sophisticated hardware and software" and "most of the general public lacks the expertise to intercept and decode payload data transmitted over a Wi-Fi network." As a result, the lawsuit against Google will now continue.</p>
<p><strong>The Good and The Bad</strong></p>
<p>First, the bad. If you're a security researcher in the <a href="http://www.ca9.uscourts.gov/content/view.php?pk_id=0000000135">Ninth Circuit</a> (which covers most of the West Coast) who wants to capture unencrypted Wi-Fi packets as part of your research, you better call a lawyer first (and we can <a href="https://www.eff.org/pages/legal-assistance">help</a> you with that). The Wiretap Act imposes both civil and serious criminal penalties for violations and there is a real risk that researchers who intentionally capture payload data transmitted over unencrypted Wi-Fi—even if they don't read the actual communications —may be found in violation of the law. Given the concerns about <a href="https://www.eff.org/issues/cfaa">over-criminalization </a>and overcharging, prosecutors now have another felony charge in their arsenal.</p>
<p>On the other hand, the decision also provides a strong argument that the feds and other law enforcement agencies that want to spy on data transmitted over unencrypted Wi-Fi will need to get a wiretap order to do so. We've seen the government use a device called a <a href="http://www.volokh.com/2012/11/19/united-states-v-stanley-and-the-fourth-amendment-implications-of-using-moocherhunter-to-locate-the-user-of-an-unsecured-wireless-network/">"moocherhunter"</a> without a search warrant to read Wi-Fi signals to figure out who's connecting to a particular wireless router. This decision suggests that to the extent the government uses a device like this (or even a <a href="https://www.eff.org/deeplinks/2012/10/stingrays-biggest-unknown-technological-threat-cell-phone-privacy">"stingray"</a> to the extent it can capture Wi-Fi signals) to capture payload data —even if just to determine a person's location—they'll need a wiretap order to do so. That's good news since wiretap orders are harder to get than a search warrant. </p>
<p>It's doubtful this will be the last word; lower courts have <a href="http://www.volokh.com/2012/09/06/district-court-rules-that-the-wiretap-act-does-not-prohibit-intercepting-unencrypted-wireless-communications/">disagreed</a> with each other and the Ninth Circuit is the first appellate court to rule on the tricky issue. We'll be following the cases closely to especially see how the government interprets the decision, both to see whether it prosecutes security researchers and whether it gets a wiretap order to use its exotic surveillance tools. </p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=What%20the%20Google%20Street%20View%20Decision%20Means%20for%20Researchers%20%28and%20Cops%29&amp;url=https%3A//www.eff.org/deeplinks/2013/09/what-google-street-view-decision-means-researchers-and-cops&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=What%20the%20Google%20Street%20View%20Decision%20Means%20for%20Researchers%20%28and%20Cops%29&amp;u=https%3A//www.eff.org/deeplinks/2013/09/what-google-street-view-decision-means-researchers-and-cops" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/09/what-google-street-view-decision-means-researchers-and-cops" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=What%20the%20Google%20Street%20View%20Decision%20Means%20for%20Researchers%20%28and%20Cops%29&amp;url=https%3A//www.eff.org/deeplinks/2013/09/what-google-street-view-decision-means-researchers-and-cops" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 16 Sep 2013 17:39:40 +0000Hanni Fakhoury75672 at https://www.eff.orgLegal AnalysisCoders' Rights ProjectOpen WirelessFederal Courts Still Scaremongering About RECAP and Spooky "Open Source" Softwarehttps://www.eff.org/deeplinks/2013/09/federal-courts-still-scaremongering-about-recap-and-spooky-open-source-software
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Should we fear open source software? Of course not. But that hasn’t stopped federal courts from issuing <a href="https://ecf.mad.uscourts.gov/cgi-bin/ShowIndex.pl">bizarre warnings</a> like this:</p>
<blockquote><p>The court would like to make CM/ECF filers aware of certain security concerns relating to a software application or .plug-in. called RECAP … Please be aware that RECAP is “open-source” software, which can be freely obtained by anyone with Internet access and modified for benign or malicious purposes … .</p></blockquote>
<p>To understand this strange edict, we need to review the history of RECAP and why it might be unpopular with court officials.</p>
<p>Open courts are essential to an accountable, democratic legal system. With some <a href="https://www.eff.org/deeplinks/2013/06/government-says-secret-court-opinion-law-underlying-prism-program-needs-stay">notable exceptions</a>, court proceedings in the United States are public. But if you want to access these public records online, you will be hit with a big fee. The official <a href="https://en.wikipedia.org/wiki/PACER_(law)">PACER</a> system charges for almost any activity (e.g. searching, viewing dockets) and charges 10 cents per page. These fees <a href="http://www.techdirt.com/articles/20130210/13250821938/providing-electronic-access-to-public-records-is-expensive-other-government-excuses-pacer-fees.shtml">vastly exceed</a> the actual cost of providing electronic access. And while 10 cents per page may not sound like much, the costs can quickly add up. PACER’s exorbitant rates hit litigants, <a href="http://docs.burningbird.net/mon-09022013-1053/no-appeal-pacer-fee-exemption-decision">non-profit media outlets</a>, and <a href="http://fightcopyrighttrolls.com/">citizen watchdogs</a> alike.</p>
<p>In 2008, <a href="https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz">Aaron Swartz</a> and others began a <a href="http://arstechnica.com/tech-policy/2013/02/the-inside-story-of-aaron-swartzs-campaign-to-liberate-court-filings/">pioneering campaign</a> to liberate public documents from behind the PACER paywall. At first, Swartz used free library access to collect the documents. When the courts shut down that program, the campaign turned to crowdsourcing – with individual PACER users submitting documents to a public archive. To facilitate this, the <a href="https://citp.princeton.edu/">Center for Information Technology</a> at Princeton University created a browser extension for Firefox and Chrome called <a href="https://www.recapthelaw.org/about/">RECAP</a> (which ‘turns PACER around’). Users with the extension automatically send documents uploaded from PACER to a repository hosted by the Internet Archive. RECAP takes great care to protect private information. It only archives public documents and quickly deletes any private information mistakenly released by the courts. Since 2009, the RECAP project has liberated more than 2 million public documents.</p>
<p>The government has responded with hostility. First, in an eerie precursor to his <a href="https://www.eff.org/deeplinks/2013/03/aaron-swartzs-lawyers-accuse-prosecutors-misconduct-help-next-aaron-reforming-cfaa">later prosecution</a> for downloading documents from JSTOR, the <a href="http://www.aaronsw.com/weblog/fbifile">FBI investigated</a> Aaron Swartz for purported violations of the <a href="https://www.eff.org/issues/cfaa">overbroad and draconian CFAA</a>. After the FBI dropped that investigation, courts began warning lawyers not to use RECAP because it was “open source” software and might facilitate the sharing of sealed documents. These messages were <a href="http://www.techdirt.com/articles/20090824/0452165974.shtml">widely</a> <a href="http://www.popehat.com/2009/08/24/information-should-be-free-unless-youre-already-paying-for-it/">criticized</a> as misleading. Yet, years later, a number of courts still insist on <a href="https://ecf.kywd.uscourts.gov/cgi-bin/ShowIndex.pl">posting</a> the <a href="http://www.ohnd.uscourts.gov/home/clerk-s-office-and-court-records/electronic-filing/">same</a> <a href="https://ecf.mad.uscourts.gov/cgi-bin/ShowIndex.pl">misguided scaremongering</a>.</p>
<p>Of course, there is no reason to fear open source software simply because it is open source. The courts might be under the misconception that RECAP development works something like Wikipedia, where any contributor's changes are adopted immediately. Instead, RECAP, like other open source software, has a maintainer to coordinate its development, actively reviewing all proposed changes to decide which ones to include or reject. (In RECAP's case, the Firefox version is maintained by <a href="https://twitter.com/harlanyu">Harlan Yu</a>, <a href="https://twitter.com/binarybits">Timothy B. Lee</a>, <a href="https://twitter.com/sjschultze">Stephen Schultze</a>, and <a href="https://twitter.com/dhruvee">Dhruv Kapadia</a>, and the Chrome version by <a href="https://twitter.com/zestyping">Ka-Ping Yee</a>. These individual developers are directly responsible for the content and functionality of the RECAP software—they just don't try to keep how it works a secret.)</p>
<p>For any sort of software, whether open source or proprietary, the provenance of particular downloads is of crucial importance—since anyone could make a fake download site with malicious versions. So users should always be careful about where their downloads come from and how they know they're authentic. As for RECAP, the best way court officials could help protect user security would be to direct users to the <a href="https://www.recapthelaw.org/">correct RECAP site</a>.</p>
<p>Unfortunately, the federal court RECAP warnings are not the only example of scaremongering and technophobia in the justice system. The <a href="https://www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy">government routinely treats</a> computer expertise as stand-alone evidence of nefarious intent. And prosecutors seek <a href="https://www.eff.org/deeplinks/2013/03/41-months-weev-understanding-how-sentencing-guidelines-work-cfaa-cases-0">excessive sentences</a> in computer-related cases, such as the <a href="https://www.eff.org/deeplinks/2013/03/aaron-swartzs-lawyers-accuse-prosecutors-misconduct-help-next-aaron-reforming-cfaa">vindictive prosecution</a> that ended with Aaron Swartz’s tragic suicide (it is particularly sad to see the absurd RECAP warning posted by the Federal Court for the District of Massachusetts, where that prosecution took place). Whether these actions are the result of deep ignorance or deep cynicism, we deserve better.</p>
<p>Aaron Swartz’s campaign to open access to court documents was just one chapter in a brief and extraordinary life. On September 19, we will honor him with an <a href="https://www.eff.org/press/releases/late-digital-rights-activist-international-access-knowledge-advocate-and-nsa-spying">EFF Pioneer Award</a>. Another small way to honor his work is to install the <a href="https://www.recapthelaw.org/">RECAP extension</a> and contribute to open government one PACER download at a time.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Federal%20Courts%20Still%20Scaremongering%20About%20RECAP%20and%20Spooky%20%22Open%20Source%22%20Software&amp;url=https%3A//www.eff.org/deeplinks/2013/09/federal-courts-still-scaremongering-about-recap-and-spooky-open-source-software&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Federal%20Courts%20Still%20Scaremongering%20About%20RECAP%20and%20Spooky%20%22Open%20Source%22%20Software&amp;u=https%3A//www.eff.org/deeplinks/2013/09/federal-courts-still-scaremongering-about-recap-and-spooky-open-source-software" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/09/federal-courts-still-scaremongering-about-recap-and-spooky-open-source-software" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Federal%20Courts%20Still%20Scaremongering%20About%20RECAP%20and%20Spooky%20%22Open%20Source%22%20Software&amp;url=https%3A//www.eff.org/deeplinks/2013/09/federal-courts-still-scaremongering-about-recap-and-spooky-open-source-software" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 11 Sep 2013 18:11:20 +0000Daniel Nazer and Seth Schoen75575 at https://www.eff.orgCoders' Rights ProjectOpen AccessComputer Fraud And Abuse Act ReformEFF's Encryption T-Shirt Puzzle - Solved!https://www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>After days of anticipation, EFF's "<a href="https://www.eff.org/deeplinks/2013/07/encryption-key-t-shirt-and-puzzle-def-con-21">Encryption is Key</a>" t-shirt for DEF CON 21 has been solved! DEF CON holds a special place in our hearts as one of the premier hacking conferences in the US, so for the past few years we have created special member t-shirts to honor the creative spirit of the infosec community. We started with "<a href="https://www.eff.org/files/images_insert/def_con_shirt_back.jpg">Things to Hack</a>" at DC18, "<a href="https://www.eff.org/deeplinks/2011/07/encryption-saves">Encryption Saves</a>" at DC19, and our robot-pwning "<a href="https://www.eff.org/deeplinks/2012/05/effs-new-def-con-20-t-shirt">Script Kitty</a>" at DC20. For DEF CON 21, EFF Senior Designer <a href="https://www.eff.org/about/staff/hugh-dandrade">Hugh D'Andrade</a> and Staff Technologist <a href="https://www.eff.org/about/staff/micah-lee">Micah Lee</a> took it a step further and created a one-of-a-kind cryptographic puzzle. The skeleton key embedded in code is your first clue that a mystery is afoot. (<em>Ahoy! Thar be spoilers ahead!</em>)</p>
<p></p><center><img src="https://www.eff.org/files/images_insert/key_fb.png" alt="" title="Shirt front under regular light and UV light." height="389" width="549" /></center>
<p>The binary around the key spells out "<em>violating terms of service is not a crime</em>" in ASCII, a reference to EFF's continuing efforts to reform the <a href="https://www.eff.org/issues/cfaa">Computer Fraud and Abuse Act (CFAA)</a>, the draconian US anti-hacking law. (Special thanks to everyone at DEF CON who demanded action from their Congressional representatives at our <a href="https://twitter.com/wbm312/status/363383958597152768">CFAA DC Dialer phone booth</a>!)</p>
<p>But there's more to the puzzle. Some of the zeroes and ones in the binary block glow in the dark. Converting only the glowing digits to ASCII spells out "<em>d[EFF]con</em>" in recognition of our ongoing work with the community. Note also that the key and red box are surrounded by black ciphertext symmetrically encrypted using GnuPG. Using the passphrase "<em>d[EFF]con</em>" decrypts the ciphertext to reveal the entire US Bill of Rights!</p>
<p class="image-right"><img src="https://www.eff.org/files/images_insert/adapw.png" alt="" title="Stronger passwords, people!" height="281" width="179" /></p>
<p>Following a URL at the end would lead you to a brief message from Cyborg Ada Lovelace, with the ultimate passphrase seen under her portrait. (She shares an important lesson: Encryption works, but don't get lazy!)</p>
<p>The first 10 people who solved our puzzle have been notified and will receive a beautiful, limited-edition 18" x 24" silkscreen print of the Bill of Rights design, signed &amp; numbered by the artists!</p>
<p>EFF works dilligently to protect the innovative spirit of coders, hackers, and reverse engineers every day. Thank you to all of the people who have <a href="https://eff.org/membership-drive">joined the movement</a> to protect digital freedom and fight for a better future.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%27s%20Encryption%20T-Shirt%20Puzzle%20-%20Solved%21&amp;url=https%3A//www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%27s%20Encryption%20T-Shirt%20Puzzle%20-%20Solved%21&amp;u=https%3A//www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%27s%20Encryption%20T-Shirt%20Puzzle%20-%20Solved%21&amp;url=https%3A//www.eff.org/deeplinks/2013/08/effs-encryption-t-shirt-puzzle-solved" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 07 Aug 2013 22:06:21 +0000Aaron Jue75296 at https://www.eff.orgAnnouncementCoders' Rights ProjectComputer Fraud And Abuse Act ReformSpeculation Trumps Academic Freedom: UK Court Censors Security Researchers for Reverse Engineering Publicly Available Softwarehttps://www.eff.org/deeplinks/2013/08/speculation-trumps-academic-freedom-uk-court-censors-security-researchers-reverse
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Next week, one of the most respected security research conferences in the world, the <a href="https://www.usenix.org/conference/usenixsecurity13">USENIX Security Symposium</a>, will be held in Washington D.C. Thanks to a <a href="http://www.bailii.org/ew/cases/EWHC/Ch/2013/1832.html">gag order </a>from a British court, however, it won't go quite as planned. The order forbids the authors of a paper describing fundamental flaws in car lock systems from discussing key aspects of the work, based on nothing more than speculation about a <em>third party's</em> alleged “misuse of confidential information.” </p>
<p></p>
<p>We’ve taken a closer look at the court’s ruling and it’s a doozy. According to the court, the researchers (1) reverse engineered a software program called Tango Programmer that’s been sold online since 2009; (2) in the process, identified an algorithm used in a popular car unlocking system; (3) identified fundamental security flaws in that algorithm; and (4) disclosed those flaws to the vendor of the system nine months before the conference. One month before the deadline for final submission to the conference, Volkswagen, who uses the software, ran to court to stop it. </p>
<p></p>
<p>The researchers acted responsibly and methodically. They used the time-honored technique of reverse engineering publicly available software and disclosed in plenty of time to address the issue. So, why can’t they advise car owners of the problem to that they can protect themselves? </p>
<p></p>
<p>Because, according to the court, Tango Programmer was of "clearly murky origin.” While the software had been available online for years without any apparent problem, in the court's view, the researchers had an affirmative obligation to establish that the software did not contain stolen confidential business information. </p>
<p></p>
<p>It is all too clear that the court’s opinion is clouded by its view that the researchers – respected scholars at major universities – are <a href="https://www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy">irresponsible hackers</a>:</p>
<blockquote><p>The claimants do not have an overwhelming case on the merits, not even a very strong one, but the Tango Programmer has a clearly murky origin, and that is obvious to the defendants… In my judgment, the defendants have taken a reckless attitude to the probity of the source of the information they wish to publish.</p>
</blockquote>
<p>To be clear, there’s no evidence in the record as to how Tango Programmer was developed, and the researchers stated that they assumed it was developed based on perfectly lawful technique, chip splicing. The court dismissed that statement out of hand, and looked instead to the website on which the program was sold. Based on language on the site, the court concluded that the sellers of Tango Programmer knew the software “is likely to facilitate crime.” And, the researchers themselves observed that Tango Programmer offers “functionality that goes beyond 'legitimate' usage.” </p>
<p></p>
<p>As an initial matter, this is looking at security research presentations through the wrong lens. Research on programs that could be misused enhances security by exposing the flaws and encouraging fixes. Computer security would be a farce if it avoided all "murky" software.</p>
<p></p>
<p>But even accepting the court's framing, the possibility of <em>misuse</em> says nothing about whether the program was <i>developed </i>using stolen confidential information, much less whether the researchers acted recklessly in using the program for their legitimate purposes.</p>
<p></p>
<p>The court pays a fair amount of lip service to academic freedom, but it’s just that: lip service. Even though it concedes that the case against the researchers is “not very strong,” even though there are many easier ways of stealing cars than the exploit that would be disclosed, even though Tango Programmer could have been developed without relying on stolen information, and even though car owners might be better off knowing about the flaws in the security systems on which they rely, the court nonetheless concludes that academic freedom has to give way to “the security of millions” of cars. </p>
<p></p>
<p>Again, the court gets it exactly backwards. The security of millions of cars depends on robust research into their flaws, and presentions of vulnerabilities and exploits at academic conferences ultimately enhance security. Security through obscurity is widely and correctly rejected by the security community, and security through willful ignoring a publicly available program is even worse.</p>
<p></p>
<p>Taken as a whole, the ruling sends a terrible message to researchers: if the flaws you expose are sufficiently consequential, you can be censored based on nothing more than sheer speculation about the activities of third parties. The irony, of course, is that these researchers have been punished precisely because they acted responsibly and disclosed their research well in advance of publication. Indeed, the whole situation could have been avoided if the vendor had done its part and addressed the flaw in the first place. </p>
<p></p>
<p>This ruling was issued by a U.K. court. If the case had been brought in the U.S., things might have been quite different. Under U.S. law, the person who wishes to publish doesn’t have the burden of proving there was no misappropriation just because the information is of "'murky' origin." More broadly, a U.S. court would not issue preliminary injunction where the claimants case was "not even . . . very strong" -- quite the contrary. U.S. law has been <a href="https://www.eff.org/deeplinks/2008/08/mit-students-still-gagged-federal-court">used to thwart</a> the <a href="http://w2.eff.org/IP/DMCA/Felten_v_RIAA/">publication of security research</a> in a number of ways, but a bogus trade secret claim is the weakest tool in the kit. </p>
<p></p>
<p>EFF senior staff attorney Kurt Opsahl will be participating in a <a href="https://www.usenix.org/conference/hotsec13/balancing-academic-freedom-and-responsibility-security-research">USENIX-sponsored workshop on academic freedom</a> on the eve of the Security Symposium. We hope the workshop will provide a much-needed opportunity for USENIX community members to share their perspective on this censorship, and consider ways to take action. </p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Speculation%20Trumps%20Academic%20Freedom%3A%20UK%20Court%20Censors%20Security%20Researchers%20for%20Reverse%20Engineering%20Publicly%20Available%20Software&amp;url=https%3A//www.eff.org/deeplinks/2013/08/speculation-trumps-academic-freedom-uk-court-censors-security-researchers-reverse&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Speculation%20Trumps%20Academic%20Freedom%3A%20UK%20Court%20Censors%20Security%20Researchers%20for%20Reverse%20Engineering%20Publicly%20Available%20Software&amp;u=https%3A//www.eff.org/deeplinks/2013/08/speculation-trumps-academic-freedom-uk-court-censors-security-researchers-reverse" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/08/speculation-trumps-academic-freedom-uk-court-censors-security-researchers-reverse" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Speculation%20Trumps%20Academic%20Freedom%3A%20UK%20Court%20Censors%20Security%20Researchers%20for%20Reverse%20Engineering%20Publicly%20Available%20Software&amp;url=https%3A//www.eff.org/deeplinks/2013/08/speculation-trumps-academic-freedom-uk-court-censors-security-researchers-reverse" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 06 Aug 2013 22:55:02 +0000Corynne McSherry75291 at https://www.eff.orgFree SpeechNo Downtime for Free SpeechCoders' Rights ProjectThe Bradley Manning Verdict and the Dangerous “Hacker Madness” Prosecution Strategyhttps://www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Bradley Manning was <a href="https://pressfreedomfoundation.org/sites/default/files/07-30-13-AM-session.pdf">convicted</a> (PDF) on 19 counts today, including charges under the Espionage Act and the Computer Fraud and Abuse Act for leaking approximately 700,000 government documents to WikiLeaks. While it was a relief that he was not convicted of the worst charge “aiding the enemy,” the verdict remains deeply troubling and could potentially result in a sentence of life in prison. The sentencing phase starts tomorrow, and a fuller legal opinion from the judge should also come soon.</p>
<p>We will likely have a deeper analysis of the verdict later, but two things stand out as particularly relevant to<span class="st">—</span>and especially frightening for<span class="st">—</span>folks who love the Internet and use digital tools.</p>
<p>First, the decision today continues a trend of government prosecutions that use familiarity with digital tools and knowledge of computers as a scare tactic and a basis for obtaining grossly disproportionate and unfair punishments, strategies enabled by broad, vague laws like the CFAA and the Espionage Act. Let's call this the “hacker madness” strategy. Using it, the prosecution portrays actions taken by someone using a computer as more dangerous or scary than they actually are by highlighting the digital tools used to a nontechnical or even technophobic judge.</p>
<p>In the Manning case, the prosecution used Manning’s use of a standard, over 15-year-old Unix program called <a href="https://en.wikipedia.org/wiki/Wget">Wget</a> to collect information, as if it were a dark and nefarious technique. Of course, anyone who has ever called up this utility on a Unix machine, which at this point is likely millions of ordinary Americans, knows that this program is no more scary or spectacular (and far less powerful) than a simple Google search. Yet the court apparently didn’t know this and seemed swayed by it.</p>
<p>We’ve seen this trick before. In a case EFF handled in 2009, Boston College police <a href="https://www.eff.org/deeplinks/2009/04/boston-college-prompt-commands-are-suspicious">used</a> the fact that our client worked on a GNU/Linux operating system with “a black screen with white font” as part of a basis for a search warrant. Luckily the Massachusetts Supreme Court <a href="https://www.eff.org/deeplinks/2009/05/mass-sjc-tosses-calixte-warrant">tossed out</a> the warrant after EFF got involved, but who knows what would have happened had we not been there. And happily, Oracle got a big surprise when it tried a similar trick in Oracle v. Google and discovered that the <a href="http://news.cnet.com/8301-1035_3-57445082-94/judge-william-alsup-master-of-the-court-and-java/">Judge was a programmer</a> and sharply called them on it. </p>
<p>But law enforcement keeps using this technique, likely based on a calculation that most judges aren’t as technical as ordinary Americans, may even be afraid of technology, and can be swayed by the ominous use of technical jargon and techniques<span class="st">—</span>playing to media stereotypes of evil computer geniuses. Indeed the CFAA itself apparently was a response to President Ronald Reagan’s <a href="http://news.cnet.com/8301-13578_3-57573985-38/from-wargames-to-aaron-swartz-how-u.s-anti-hacking-law-went-astray/">fears after watching</a> the completely fictional movie <em>War Games</em>.</p>
<p>Second, while the court did not convict on the "aiding the enemy" charge, the government's argument—that publishing something to the general public on the Internet can count as “aiding the enemy”—has strong digital overtones. The "aiding the enemy" charge is a <a href="https://pressfreedomfoundation.org/blog/2013/07/how-todays-aiding-enemy-ruling-bradley-mannings-case-could-affect-journalists-and">breathtakingly broad military charge</a> never before used against a leaker to the press. It is shocking that the government would even make this argument and that the judge didn't dismiss it outright. The prosecution argued that even if Manning never intended to aid the enemy, and even though the government did not need to prove the information published by WikiLeaks ever harmed the U.S., the mere fact it ended up on the Internet means he is guilty of a capital crime.</p>
<p>This argument wasn’t actually confined to WikiLeaks<span class="st">—</span>the <a href="http://tv.msnbc.com/2013/07/18/aiding-the-enemy-charge-allowed-in-trial-of-bradley-manning/">government admitted</a> during the trial that its claims would apply equally to the <em>New York Times</em> or other traditional media. But the reason this argument wasn’t laughed out of court, we suspect, is the digital environment. After all, Adolph Hitler certainly had access to American newspapers, as did Joseph Stalin, Fidel Castro, Mao Zedong, Hồ Chí Minh or any other past enemy of America. The court tried to dress it up a bit, <a href="http://www.guardian.co.uk/commentisfree/2013/jul/19/bradley-manning-trial-aiding-the-enemy-charge">noting that Manning</a> “trained in intelligence and received training on the fact that that enemy uses the internet to collect information about the United States,” as if this is something that only someone with specialized “Internet training” would know.</p>
<p>But of course it’s not. Everyone (at least everyone who regularly uses the Internet) knows that the Internet is used by good people and bad people all over the world and that anything published is, well, published and available to all. This is a <em>feature</em> of the Internet, not a <em>bug</em>, yet here it played into distorting the “aiding the enemy” crime out of all proportion and may have played a role in the five other counts under Espionage Act claims that he was convicted of. Even without this claim, Manning still faces life imprisonment—no member of the press or public interested in more transparency about how our military works (or doesn't work) should rest easy with this verdict.</p>
<p>Manning will appeal of course. And in the long run, these tactics will likely stop working as more people become familiar with technologies. In the meantime, real harm to real people happens through overreaction, over-prosecution, and over-penalization. And the harm also occurs to the public, which becomes less informed about governmental misconduct at home and abroad. </p>
<p>Here’s hoping the military appellate court has a programmer or two on it and can see through the scare tactics and technophobia that the prosecution has been doling out. But we're not holding our breath.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=The%20Bradley%20Manning%20Verdict%20and%20the%20Dangerous%20%E2%80%9CHacker%20Madness%E2%80%9D%20Prosecution%20Strategy&amp;url=https%3A//www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=The%20Bradley%20Manning%20Verdict%20and%20the%20Dangerous%20%E2%80%9CHacker%20Madness%E2%80%9D%20Prosecution%20Strategy&amp;u=https%3A//www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=The%20Bradley%20Manning%20Verdict%20and%20the%20Dangerous%20%E2%80%9CHacker%20Madness%E2%80%9D%20Prosecution%20Strategy&amp;url=https%3A//www.eff.org/deeplinks/2013/07/manning-verdict-and-hacker-madness-prosecution-strategy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 30 Jul 2013 19:20:27 +0000Cindy Cohn75210 at https://www.eff.orgCommentaryFree SpeechWikileaksCoders' Rights ProjectComputer Fraud And Abuse Act ReformEFF in Las Vegas for Computer Security Conferenceshttps://www.eff.org/deeplinks/2013/07/eff-las-vegas-computer-security-conferences
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>EFF is heading to fabulous Las Vegas this week for the summer security conferences: Black Hat USA, Security B-Sides Las Vegas and DEF CON. We're excited to see everyone there!</p>
<h3>Booths:</h3>
<p><img class="align-right" src="https://www.eff.org/files/images_insert/defconbooth.jpg" alt="Photo by visage used under CC license" height="183" width="275" /> Come by the EFF booth to learn about our latest work, renew your membership, check out the new t-shirts or just to say hello.</p>
<ul><li><strong>Black Hat Briefings (Caesar's Palace)</strong>: Open Wednesday, July 31 to Thursday, August 1.</li>
<li><strong>BSidesLV (Tuscany)</strong>: Open Wednesday, July 31 to Thursday, Aug 1.</li>
<li><strong>DEF CON (Rio)</strong>: Two booth locations (vendor area and contests!) open Friday, August 2 to Sunday, August 4.</li>
</ul><p> </p>
<h3>Activities:</h3>
<ul><li><img class="align-left" src="https://www.eff.org/files/images_insert/telephone_booth.58581.jpg" alt="We're actually renting this phone booth." height="157" width="157" /><strong>Call Congress at the CFAA DC Dialer Booth:</strong> EFF is bringing a phone booth to the DEF CON Contest &amp; Event area, so you can make a toll-free call to your representatives to speak out on <a href="https://www.eff.org/deeplinks/2013/06/aarons-law-introduced-now-time-reform-cfaa">Aaron's Law</a>, the bill designed to bring some much needed reform to the CFAA. (Yes, we're actually bringing that phone booth.)</li>
<li><strong>DEF CON: Vegas 2.0's <a href="http://www.vegassummit.org">theSummit Party</a>:</strong> Once again, Vegas 2.0 is hosting an event at DEF CON and raising money for EFF. "You can hobnob with similarly freedom-inclined cyberfolk, win a raffle or some door prizes, shake your pants to DJ Jackalope and others and rest easy in the knowledge that every penny generated goes straight to the EFF." Come and meet the many amazing <a href="http://www.vegassummit.org/Featured_Guests.html">featured guests</a>. 20:30 at the Rio.</li>
<li><strong>R00tz (formerly DEF CON Kids):</strong> The third annual <a href="http://www.r00tz.org">r00tz Asylum</a> at DEF CON is free to kids aged 8-16 that have purchased a DEF CON conference badge ($180 cash at DEF CON registration). Schedule TBD.</li>
</ul><p> </p>
<h3>Talks:</h3>
<p><strong>Wednesday, July 31</strong></p>
<p><em>• Black Hat: <a href="https://www.blackhat.com/us-13/briefings.html#Hofmann1">Legal Considerations for Cellular Research</a>, 10:15 in Palace 1</em></p>
<p>EFF Attorney Kurt Opsahl and EFF Fellow Marcia Hofmann will give a turbo talk on legal considerations for cellular research. This briefing will provide a legal overview of what a researcher should keep in mind when investigating mobile communications, technologies, and networks.</p>
<p><em>• Black Hat: <a href="https://www.blackhat.com/us-13/briefings.html#Hofmann2">What Security Researchers Need to Know</a>, 11:45 in Palace 3</em></p>
<p>EFF Fellow Marcia Hofmann will explain why the Computer Fraud and Abuse Act is such a dangerous tool in the hands of overzealous prosecutors.</p>
<p><em>• Black Hat: <a href="https://www.blackhat.com/us-13/briefings.html#Opsahl">Town Hall Meeting: Reforming the CFAA</a> 17:00 in Florentine</em></p>
<p>In this town hall meeting, join activists involved in CFAA reform efforts to discuss how you can get involved in the public debate around CFAA reform and strategize about how to have the most impact. With Kurt Opsahl, Marcia Hofmann, EFF Policy Analyst Mark Jaycox, Kevin Bankston of the Center for Democracy &amp; Technology, Jonathan Mayer of Stanford Center for Internet and Society, and Alex Stamos of Artemis and expert witness on Aaron Swartz’s side of US vs Swartz.</p>
<p><strong>Thursday, August 1</strong></p>
<p><em>• DEF CON: <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Rennie">Hacker Law School</a>, 10:00 in Track 3</em></p>
<p>This workshop will provide you with the fundamentals of Intellectual Property, Crimimal Law, and Criminal Procedure that you need to protect yourself. With attorney Jim Rennie &amp; EFF Fellow Marcia Hofmann.</p>
<p><em>• B-Sides Las Vegas: <a href="http://www.bsideslv.org/schedule/">Ask the EFF </a>Panel, 16:00-17:00 in the Underground (Siena)</em></p>
<p>Once again, the Electronic Frontier Foundation returns to the Underground to answer your toughest Off-the-Record queries. Question some of the greatest minds in the field of internet law, in what is fast becoming an annual BSidesLV tradition.</p>
<p><strong>Friday, August 2</strong></p>
<p>• <em>DEF CON: <a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Ask-the-EFF">Ask the EFF:</a></em><a href="https://www.defcon.org/html/defcon-21/dc-21-speakers.html#Ask-the-EFF"> <em>The Year in Digital Civil Liberties</em></a><em>, 14:00 in Track 4</em></p>
<p>Get the latest information about how the law is racing to catch up with technological change from staffers at the EFF. This session will include updates on current EFF issues such as surveillance online and fighting efforts to use intellectual property claims to shut down free speech and halt innovation, discussion of our technology project to protect privacy and speech online, updates on cases and legislation affecting security research, and much more.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20in%20Las%20Vegas%20for%20Computer%20Security%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2013/07/eff-las-vegas-computer-security-conferences&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20in%20Las%20Vegas%20for%20Computer%20Security%20Conferences&amp;u=https%3A//www.eff.org/deeplinks/2013/07/eff-las-vegas-computer-security-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/07/eff-las-vegas-computer-security-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20in%20Las%20Vegas%20for%20Computer%20Security%20Conferences&amp;url=https%3A//www.eff.org/deeplinks/2013/07/eff-las-vegas-computer-security-conferences" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 29 Jul 2013 18:14:27 +0000Kurt Opsahl75155 at https://www.eff.orgAnnouncementCoders' Rights ProjectWeev's Case Flawed From Beginning to Endhttps://www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-end
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>As Andrew "Weev" Auernheimer finishes his third month in a federal penitentiary, we <a href="https://www.eff.org/press/releases/appeal-filed-free-andrew-weev-auernheimer">filed</a> our <a href="https://www.eff.org/node/74804">appeal</a> of the computer researcher's <a href="http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/">conviction</a> and <a href="http://www.wired.com/threatlevel/2013/03/att-hacker-gets-3-years/">41-month prison sentence</a> for violating the <a href="http://www.law.cornell.edu/uscode/text/18/1030">Computer Fraud and Abuse Act</a> (CFAA) and <a href="http://www.law.cornell.edu/uscode/text/18/1028">identity theft</a> statute on Monday.</p>
<p>Auernheimer's case is the latest chapter in the ongoing battle over the breadth of the CFAA, the sweeping federal anti-hacking law that has been stretched to cover all sorts of non-hacking behavior. Intended to go after <a href="http://news.cnet.com/8301-13578_3-57573985-38/from-wargames-to-aaron-swartz-how-u.s-anti-hacking-law-went-astray/">malicious, criminal hacking</a>, the CFAA has been aggressively used to prosecute behavior like creating a <a href="https://www.eff.org/cases/united-states-v-drew">fake MySpace page</a>, <a href="https://www.eff.org/cases/u-s-v-nosal">misusing employer data</a> and, in the case of <a href="https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz">Aaron Swartz</a>, downloading scholarly articles he was actually entitled to access.</p>
<p>Weev's conviction is a prime example of how the CFAA <a href="https://www.eff.org/document/cfaa-and-security-researchers">threatens security researchers</a> with prison sentences for discovering security vulnerabilities.</p>
<p>Here's the back story. In 2010, Weev's co-defendant Daniel Spitler discovered AT&amp;T configured its website to automatically publish an iPad user's e-mail address when the server was queried with a URL containing the number that matched an iPad's SIM card ID. In other words, if anyone typed in the correct URL with a correct ID number, the e-mail address associated with that account would automatically appear in the login prompt. Spitler wrote a script that attempted to emulate the IDs by entering random numbers into the URL and, as a result, ultimately collected approximately 114,000 e-mail addresses. Auernheimer sent a list of the e-mail addresses to several journalists to prove the security problem, and <em>Gawker</em> published a <a href="http://gawker.com/5559346/apples-worst-security-breach-114000-ipad-owners-exposed">story</a> about the vulnerability. </p>
<p>Although Auernheimer's actions helped motivate AT&amp;T to fix the hole, he was rewarded with a federal indictment instead of a <a href="http://www.itproportal.com/2013/06/20/microsoft-follows-google-and-facebook-with-100000-bug-bounty-programme/">bounty.</a> Federal prosecutors in New Jersey claimed that Weev and Spitler accessed data—the e-mail addresses—without authorization under the CFAA despite the fact AT&amp;T made the information publicly available over the Internet. After Auernheimer was convicted and sentenced, we <a href="https://www.eff.org/press/releases/eff-joins-andrew-auernheimer-case-appeal">joined his appeal team</a> and in our brief to the 3rd U.S. Circuit Court of Appeals, we give five reasons why Auernheimer's conviction and sentence must be reversed. </p>
<p><strong>No Crime Occurred in New Jersey</strong></p>
<p>The place where a criminal case is brought<span class="st">—</span>a concept known as "venue"<span class="st">—</span>is typically where the crime occurred. At the time Spitler discovered the hole in AT&amp;T's website, he was in California. Auernheimer was in Arkansas. AT&amp;T's servers were in Georgia and Texas. Yet the government indicted Auernheimer in New Jersey. Its rationale? Of the 114,000 e-mail addresses, 4,500 of them, all of 4 percent, belonged to New Jersey residents. </p>
<p>Since neither Auernheimer or Spitler were in New Jersey, no computers were accessed in New Jersey and there was no evidence that any of the script's Internet traffic travelled through New Jersey, there was nothing connecting this crime to the Garden State. The government's theory about there being "victims" in New Jersey meant Weev could have been prosecuted in any state where a resident had an e-mail address taken.</p>
<p>This is a problem unique to the CFAA and other computer crime statutes. Given the Internet's ability to connect people and computers, this expansive theory of venue under the CFAA means criminal defendants could be dragged in to any court in any state. It allows prosecutors to "forum shop," or bring the case before the court most likely to support the government's case.</p>
<p>That seems to be what happened here, as part of the government's motivation in charging Weev in New Jersey was to use the state's computer crime law to elevate his conduct from a misdemeanor into a felony.</p>
<p><strong>No Double-Counting</strong></p>
<p>Accessing data without authorization under the CFAA is generally a misdemeanor but becomes a felony if done in furtherance of another crime. Here, the government charged Weev with a felony CFAA violation because they claimed he violated the federal computer access crime in furtherance of violating the state of <a href="http://law.onecle.com/new-jersey/2c-the-new-jersey-code-of-criminal-justice/20-31.html">New Jersey's computer access crime</a>.</p>
<p>But Congress never intended to allow prosecutors to essentially double-count one course of conduct. In 2011, we successfully argued to the 4th Circuit in <a href="https://www.eff.org/cases/us-v-cioni"><em>United States v. Cioni</em></a> that the government can't take one set of actions and stretch it into two different federal statutes to transform a CFAA misdemeanor into a felony. We've asked the 3rd Circuit to reach a similar decision when the feds use a state statute to increase punishment for a similar federal statute based on the same underlying conduct. Given the <a href="https://www.eff.org/deeplinks/2013/03/3-months-or-35-years-understanding-cfaa-sentencing-part-1-why-maximums-matter">tough CFAA penalty scheme</a>, it's important to reserve the toughest punishment for the most <a href="https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime">serious crimes</a>.</p>
<p><strong>Accessing Data on a Public Website Isn't A Crime</strong></p>
<p>The problems in Weev's case aren't just matters of procedure; there is a significant problem with the government's entire theory of liability under the CFAA. It makes visiting a public website a crime.</p>
<p>In essence, the government claims that Auernheimer and Spitler obtained the e-mail addresses "without authorization" under the CFAA because AT&amp;T didn't want them to have the addresses, despite putting absolutely no technical roadblock—such as requiring a login with a username and password—in their way. As we've <a href="https://www.eff.org/deeplinks/2013/06/eff-access-public-website-not-crime">warned before</a>, accessing data on a public website isn't criminal, even if the website owner doesn't like how their data is being used. The way to prevent people from accessing data is to restrict access to that data, not to claim some people who visit a website are "authorized" and others aren't without any clear mechanism for distinguishing between the two.</p>
<p><strong>An Identity Theft Charge Missing Unlawful Activity and Theft</strong></p>
<p>The identity theft statute criminalizes anyone who unlawfully possesses, transfers or uses a means of identification in connection with another crime. But the government's theory is missing the unlawful activity needed in the statute. First, Auernheimer didn't unlawfully possess the e-mail addresses under the CFAA, meaning there was no underlying crime to hinge the identity theft statute on in the first place. Second, Auernheimer didn't possess or transfer the e-mail addresses in connection with a crime involving conduct separate from the act of obtaining the e-mail addresses. When he accessed the e-mail addresses under the CFAA, he necessarily possessed them under the identity theft statute too. And just like the government can't rely on one set of conduct to create a felony crime under the CFAA, it can't do the same under the identity theft statute either.</p>
<p><strong>Unreasonable Mailing Costs Isn't CFAA "Loss"</strong></p>
<p>Finally, the 41-month sentence was based on an improper determination of what AT&amp;T's "loss" was as a result of the e-mail addresses being disclosed. After it learned its website was leaking e-mail addresses, AT&amp;T closed the hole and sent an e-mail to its customers, notifying them about what happened. That e-mail notice was very effective; it reached 98% of all affected customers. But AT&amp;T decided to also send the same notice through the postal mail. That cost AT&amp;T $73,000; it also cost Auernheimer a significant sentencing increase.</p>
<p>That $73,000 loss amount was used to more than double <a href="https://www.eff.org/deeplinks/2013/03/41-months-weev-understanding-how-sentencing-guidelines-work-cfaa-cases-0">Auernheimer's recommended sentence</a>. Yet "loss" under the CFAA must be tied to a computer and these mailing costs weren't. And even if the mailing costs did count as "loss" under the CFAA, the effectiveness of the e-mail notice meant duplicating that notice with a physical mailing made AT&amp;T's costs unreasonable.</p>
<p><strong>Its Not Just About Weev</strong></p>
<p>We expect oral argument in the case to be sometime in the fall. We hope the appeals court will see the many problems in Auernheimer's case and realize these issues go beyond his specific case. Allowing AT&amp;T to pass the blame for its poor security onto Auernheimer only <a href="http://www.wired.com/business/2013/03/weev/">discourages security researchers</a> from sharing their discoveries and arms prosecutors with aggressive legal theories to prosecute computer crimes anywhere they want based on information freely available to the public.</p>
<p>Meanwhile in DC, there's growing scrutiny of the CFAA. A recently introduced bipartisan fix of the CFAA called <a href="https://www.eff.org/deeplinks/2013/06/aarons-law-introduced-now-time-reform-cfaa">"Aaron's Law"</a> is a step in the right direction towards meaningful CFAA reform. The legislation makes clear that CFAA liability is only triggered with actual improper access and eliminates the government's ability to count one set of actions multiple times to increase punishment. You can let your voice be heard by sending an <a href="https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9005">e-mail to your elected representative</a> asking them to support common sense changes to the CFAA.</p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/us-v-auernheimer">United States v. Andrew Auernheimer</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Weev%27s%20Case%20Flawed%20From%20Beginning%20to%20End&amp;url=https%3A//www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-end&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Weev%27s%20Case%20Flawed%20From%20Beginning%20to%20End&amp;u=https%3A//www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-end" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-end" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Weev%27s%20Case%20Flawed%20From%20Beginning%20to%20End&amp;url=https%3A//www.eff.org/deeplinks/2013/07/weevs-case-flawed-beginning-end" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 03 Jul 2013 22:00:46 +0000Hanni Fakhoury74790 at https://www.eff.orgLegal AnalysisCoders' Rights ProjectComputer Fraud And Abuse Act ReformA New Kind of D(EFF)CONtesthttps://www.eff.org/deeplinks/2013/06/new-kind-deffcontest
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="https://supporters.eff.org/donate/new-deffcontest"><img alt="Scriptkitty Sez Protect Coders' Rights!" src="https://supporters.eff.org/sites/supporters.eff.org/files/civicrm/persist/contribute/DEFcon_kitten_2_4580d40fe90f6f4e7f08f5c79f99d9ee.jpg" title="Scriptkitty Sez Protect Coders' Rights!" class="align-right" border="0" height="193" hspace="5px" width="189" /></a>For the past three years, EFF has organized the D(EFF)CONtest to highlight the work of supporters who advocate for EFF’s work and inspire others to become supporters of digital civil liberties too. We’re always looking for ways to make an impact with this contest, and so this year, we’re trying something a little different.</p>
<p>But let’s cover a little background first. The D(EFF)CONtest runs in advance of DEF CON, the world's largest hacker convention, with a history nearly as long as EFF’s own. DEF CON has been a nexus of information security innovation and digital creativity, and EFF is proud to have provided legal assistance directly to community members there as part of our service for technologists and users everywhere.</p>
<p>Hackers from around the globe have chosen to stand with EFF as dues-paying members protecting digital freedom. DEF CON attendees in particular have taken fundraising to remarkable new heights of creativity, with everything from waffle sales (thanks, FAIL panel), to mutilating thirst with Brawndo (much obliged, 949), to designing an interactive badge that took people on an EFF quest (arigato, Ninjas).</p>
<p>With that spirit of creativity and community in mind, we plan to give DEF CON 21’s top three EFF fundraisers a special award: an opportunity to share DEF CON with worthy individuals in the community! Winners will be able to designate people who will receive the following benefits for DEF CON 22:</p>
<p>The Grand Prize:</p>
<ul><li>A standard suite at the Rio Hotel and Casino for the DEF CON 22 weekend;</li>
<li>Two DEF CON 22 Human badges;</li>
</ul><p>Second Place:</p>
<ul><li>Two DEF CON 22 Human badges</li>
</ul><p>Third Place:</p>
<ul><li>One DEF CON 22 Human badge</li>
</ul><p>EFF is excited to recognize the leadership of creative souls who have found helped fund digital freedom protection while also strengthening the hacker community. We’ve been preparing for months for DEF CON 21 and look forward to the groundbreaking ideas and adventures sure to come.</p>
<p>Questions? Email us at <a href="mailto:membership@eff.org">membership@eff.org</a></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=A%20New%20Kind%20of%20D%28EFF%29CONtest&amp;url=https%3A//www.eff.org/deeplinks/2013/06/new-kind-deffcontest&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=A%20New%20Kind%20of%20D%28EFF%29CONtest&amp;u=https%3A//www.eff.org/deeplinks/2013/06/new-kind-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/06/new-kind-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=A%20New%20Kind%20of%20D%28EFF%29CONtest&amp;url=https%3A//www.eff.org/deeplinks/2013/06/new-kind-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 25 Jun 2013 23:51:20 +0000Aaron Jue74740 at https://www.eff.orgAnnouncementCoders' Rights ProjectEFF at SXSW 2013: Parties, Panels, and Morehttps://www.eff.org/deeplinks/2013/02/eff-sxsw-2013
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><img src="https://www.eff.org/files/images_insert/sxsw13.png" alt="" class="align-right" title="Join EFF at SXSW!" border="0" height="126" hspace="5px" width="217" />The Electronic Frontier Foundation is back in Austin, TX for South by Southwest (SXSW)! EFF is the world's foremost defender of online civil liberties, so it's only natural that we have boots on the ground at perhaps the most popular showcase of Internet innovation ever. For 23 years, EFF has been uniquely suited to protecting your digital freedom by blending the expertise of lawyers, activists, technologists, and policy analysts to fight for the users. Whether advocating for software patent reform, defending location privacy, uncovering information about domestic drones, or joining forces with international activists to protect free expression, EFF has your back as we continue into the next stage of technology.</p>
<p>Check out our SXSW Interactive and Music panels below. We encourage you to learn more at EFF's Trade Show <strong>booth #340</strong>. You can even become an EFF member on the spot and get some sweet swag with your tax-deductible donation<strong>.</strong> We also invite you to raise a glass to digital rights at our <a href="https://www.eff.org/sxsw13party"><strong>Hack Digital Freedom: SXSW</strong></a> gathering with EFF-Austin and iSEC Partners. Space is limited. We hope to see you in Austin!</p>
<p><strong>EFF TALKS AT SXSW INTERACTIVE, FILM, AND MUSIC:</strong></p>
<p><em><strong>Updated 3/11/13</strong></em></p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_IAP3353" id="a_IAP3353_Lynch">I Know Where You're Going: Location as Biometric</a><br />
Friday, March 8, 3:30PM - 4:30PM</strong></p>
<p>This session will discuss location data as the ultimate biometric identifier. The tracking devices we carry around in our pockets (our smart phones) send out location data every time they search for a signal. Law enforcement routinely requests this data - sending out over 1.3 million demands to providers last year. This data can not only reveal where we go and what we do in our lives—it can also define and identify us. The session will cover the legal and technical aspects of location information as biometric, what this means for privacy and civil liberties, and what you can do about it. <em>Speakers: Jeff Jonas and EFF's <a href="https://www.eff.org/about/staff/jennifer-lynch">Jennifer Lynch</a>.</em></p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_IAP6422" id="a_IAP6422_Jeschke">How to Keep EFF &amp; the ACLU Off Your Ass</a><br />
Saturday, March 9, 3:30PM - 4:30PM</strong></p>
<p>Make no mistake, privacy is not dead. If it was, privacy snafus wouldn’t still be making headlines. Failing to build in privacy protections is the quickest way to put your company smack in the middle of a PR disaster. If you messed up, we’re going to have something to say and we don’t do kid gloves. The good news is that so many of the privacy-related PR disasters could have been prevented with some simple advance planning. Hear from two of the top people that tech reporters call for comment when there’s a new product that has everyone talking. They will tell you how to plan ahead to avoid privacy &amp; PR nightmares, saving your company time and money while enhancing reputation and building customer loyalty and trust. <em>Speakers: Rebecca Farmer and EFF's <span class="pres_name"><a href="https://www.eff.org/about/staff/rebecca-jeschke">Rebecca Jeschke</a>.</span></em></p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_FP1913">Dangerous Docs! When the Subject Bites Back</a><br />
Monday, March 11, 3:30PM - 4:30PM</strong></p>
<p>Documentaries have never been more influential. So no surprise that they are increasingly targeted-- both before and after their making-- by subjects who don't like their revelations. Whether you’re facing big corporations (Crude, Bananas!), government agencies (Gasland, The Oath), or the bigots in your webisode audience (Black Folk Don’t, Awkward Black Girl, Tropes v Women), it’s time to learn how to deal. Learn from experts who've dealt with it! <em>Speakers: Patricia Aufderheide and EFF's <a href="https://www.eff.org/about/staff/parker-higgins">Parker Higgins</a>.</em></p>
<p><strong><a href="http://rsvp.vice.com/viceland/index-2.html">Drone Nation</a><br />
Monday, March 11, 3 - 5PM</strong></p>
<p>Look up. Drones are in the air - and invading Austin, and the launch pad is Drone Day at Viceland presented by Oblivion. Join speakers including EFF Activist <a href="https://www.eff.org/about/staff/trevor-timm">Trevor Timm</a> for a multimedia roundtable on the future flying of robots in America. The talk is bookended by the <em>Drone Show</em> and <em>Flight School</em> demos. Stick around for music from M83.</p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_IAP3994" id="a_IAP3994_Timm">Cryptowars Déjà Vu: Controlling Exports of Tech</a><br />
Tuesday, March 12, 9:30AM -10:30AM</strong></p>
<p>We now know that technology plays an important role in activism, allowing for ease of communication and the rallying of support, among other things. In the 2009 Iran protests and the current conflicts in Syria and Sudan, activists and citizen journalists have taken advantage of the wealth of tech available, but existing export controls nonetheless continue to prevent important communications technologies from reaching activists and dissidents.</p>
<p>These export controls—enacted by the Departments of Treasury and Commerce and detailed here—often hurt the very individuals they’re meant to help, by restricting access for citizens while doing little to stop authoritarian regimes from getting ahold of products via third parties or on the black market.</p>
<p>This panel will offer perspectives on how technology companies can be proactive in ensuring equal access to communications technology for all of the world's citizens. <em>Speakers: Ahmed Ghappour, Sahar Sabet, and EFF's <a href="https://www.eff.org/about/staff/jillian-york">Jillian York</a> and <a href="https://www.eff.org/about/staff/trevor-timm">Trevor Timm</a>.</em></p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_IAP349" id="a_IAP349_Hofmann">Legal Bootcamp for Mobile Developers</a><br />
Tuesday, March 12, 3:30PM - 6:00PM</strong></p>
<p>RSVP Required - Innovation continues to skyrocket in the mobile space, but many developers don't realize that they're creating apps against a complex -- and often murky -- legal backdrop. This presentation will identify and discuss some of the key legal issues mobile developers should know about. We'll discuss the laws that apply to activities like jailbreaking devices, reverse engineering code, transmitting and storing user information, and intercepting communications. We'll also talk about practical steps you can take to reduce your risk so that you can go about your work with less potential for legal trouble. <em>Presented by Charles Mudd Jr. and EFF's <a href="https://www.eff.org/about/staff/marcia-hofmann">Marcia Hofmann</a>.</em></p>
<p><strong><a href="http://schedule.sxsw.com/2013/events/event_MP6101" id="a_MP6101_Samuels">So We Won SOPA: Turning a Moment into a Movement</a><br />
Saturday, March 16, 12:30PM - 1:30PM</strong></p>
<p>The fight over SOPA/PIPA was a Washington watershed: 15 million Americans contacted Congress and stopped laws that would have harmed online culture and innovation. Learn how to transform this victory into a strong, self-sustaining movement to promote and defend the Internet. <em>Speakers: Michael Petricone, Laurent Crenshaw, Jayme White, and EFF's <a href="https://www.eff.org/about/staff/julie-samuels">Julie Samuels</a>.</em></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=EFF%20at%20SXSW%202013%3A%20Parties%2C%20Panels%2C%20and%20More&amp;url=https%3A//www.eff.org/deeplinks/2013/02/eff-sxsw-2013&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=EFF%20at%20SXSW%202013%3A%20Parties%2C%20Panels%2C%20and%20More&amp;u=https%3A//www.eff.org/deeplinks/2013/02/eff-sxsw-2013" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/02/eff-sxsw-2013" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=EFF%20at%20SXSW%202013%3A%20Parties%2C%20Panels%2C%20and%20More&amp;url=https%3A//www.eff.org/deeplinks/2013/02/eff-sxsw-2013" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 01 Mar 2013 18:50:10 +0000Aaron Jue73368 at https://www.eff.orgAnnouncementCoders' Rights ProjectSOPA/PIPA: Internet Blacklist LegislationInternationalPrivacyCell TrackingRebooting Computer Crime Law Part 1: No Prison Time For Violating Terms of Service https://www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-part-1-no-prison-time-for-violating-terms-of-service
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><em>In the wake of social justice activist Aaron Swartz's tragic death, Internet users around the country are taking a hard look at the Computer Fraud and Abuse Act (CFAA), the federal anti-hacking law. As we've <a href="https://www.eff.org/deeplinks/2013/01/aaron-swartz-fix-draconian-computer-crime-law">noted</a>, the CFAA has lots of problems. In this three-part series, we'll explain these problems in detail and why they need to be fixed. </em><em>For more details about our proposal for CFAA reform, see</em><em> <a href="https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-law-part-2-protect-tinkerers-security-researchers">part 2</a> and <a href="https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime">part 3</a>.</em></p>
<p><a href="https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9005"><img alt="Take action to fix computer crime law." src="https://www.eff.org/files/aarons-law-action-button.png" class="align-left" /></a>Here is the CFAA's greatest flaw: the law makes it illegal to access a computer without authorization or in a way that exceeds authorization, but doesn't clearly explain what that means. This murkiness gives the government tons of leeway to be creative in bringing charges. </p>
<p>For example, overzealous prosecutors have gone so far as to argue that the CFAA criminalizes violations of private agreements like an <a href="https://www.eff.org/cases/u-s-v-nosal">employer's computer use policy</a> or a <a href="https://www.eff.org/cases/united-states-v-drew">web site's terms of service</a>. Thankfully, some federal courts have recognized the absurdity of this argument, but Congress needs to fix the law to make it crystal clear. Vague laws are dangerous precisely because they give prosecutors and courts too much discretion to arbitrarily penalize normal, everyday behavior. </p>
<p>So, under the government's theory, what innocuous activities could the CFAA criminalize? Here are a few things that could violate the CFAA under the government's misguided interpretation of the law:</p>
<ol><li><b>Lying about your age on Facebook.</b> Facebook's <a href="https://www.facebook.com/legal/terms">Rights and Responsibilities </a>make users promise not to "provide any false personal information on Facebook." So don't even think about RSVPing to an event you can't attend, or posting a misleading status update, or telling people you're married when you're not. These are all activities that could violate Facebook's terms, and have you facing a years-long prosecution if the government decides to make an example of you.</li>
<li><b>Saying you're "tall, dark and handsome" on Craigslist</b> when you're actually short and homely. Under Craigslist's <a href="http://www.craigslist.org/about/terms.of.use">Terms of Service</a>, a user can't post "false or fraudulent content" on the site. And that's not all. Flagging something multiple times or encouraging others to flag content is also a violation of terms<span>—</span>not exactly the sort of dangerous activity the CFAA was meant to criminalize.</li>
<li><b>Buying a lotto ticket with Square</b><strong>.</strong> Square's <a href="https://squareup.com/legal/pay-ua">Wallet User Agreement</a> bans tons of different types of transactions, from making purchases "in connection with" membership clubs, identity theft protection services, lotto tickets or "occult materials." Does that mean you can't use Square to buy copies of the Twilight books? Only Square and federal prosecutors could tell you for sure.</li>
<li><b>Letting a friend log in to your Pandora account.</b> Under Pandora's <a href="http://www.pandora.com/legal">Terms of Use</a>, users must "agree that you will not allow others to use any aspect of your Account Information." So before you give your significant other your Pandora password, consider whether he or she is someone you want to put on your visitor's list should you end up in prison.</li>
<li><b>Posting impolite comments on the New York Times' Web Site. </b>The New York Times has an almost Victorian <a href="http://www.nytimes.com/content/help/rights/terms/terms-of-service.html#discussions">Terms of Service</a> (1/24/13), which admonishes users to "be courteous" and "use respectful language" and "debate, but don't attack." So before you engage in a late night impassioned discussion in a comment thread on an article, check to make sure your language doesn't edge into "impolite" and land you in the Big House.</li>
<li><b>Using Hootsuite to update your Google Plus page. </b>The social media management tool Hootsuite lets users manage their Twitter and Facebook accounts, and it has been <a href="http://blog.hootsuite.com/google-plus-pages-open/">happily promoting</a> its new Google Plus integration. But be wary: Google's <a href="http://www.google.com/intl/en/policies/terms/">Terms of Service</a> warn that you mustn't "misuse our Services" and specifically cautions that users should not "try to access them using a method other than the interface and the instructions that we provide." Since Google doesn't provide Hootsuite, using the Hootsuite dashboard to update your Google Plus account could be cause for criminal liability.</li>
<li><b>Sending a sexy message on eHarmony</b><strong>.</strong> eHarmony may be about finding love, but don't even think about sending a sexually suggestive missive to someone through the service. eHarmony's <a href="http://www.eharmony.com/about/terms/">Terms of Service</a> ban individuals from using the service to send messages that are "sexually oriented." The terms also ban users from submitting content that is "off-topic" or "meaningless." So, stay focused but not too sexy in your eHarmony communications or your search for love might attract the attention of a government prosecutor.</li>
</ol><p>Internet users shouldn't live in fear that they could face criminal liability for mere terms of service violations<span>—</span><span>especially given that website terms are often vague, lopsided and subject to change without notice. Security testing, code building, and free speech</span><span>—</span><span>even if unabashedly impolite</span><span>—</span><span>are fundamental parts of the Internet's character. Supporting these types of innovation helps keep the Internet dynamic and interactive. Regardless of whether you think that people ought to send sexy messages on eHarmony or post impolite comments on NYTimes.com, one thing is certain: violating a private agreement or duty should not carry the grim shadow of criminal liability. No one should face criminal charges, go to jail, or face fines as a result of a contractual violation like using a pseudonym on Facebook.</span></p>
<p>Representative Zoe Lofgren (D-CA) has <a href="http://www.reddit.com/r/IAmA/comments/17pisv/im_rep_zoe_lofgren_here_is_a_modified_draft/">started the conversation</a> and advocacy groups like Demand Progress have joined us in working to fix the vague, dangerous and overly punitive sections of CFAA that were misused to persecute Aaron Swartz. Please join EFF in calling on Congress to fix the glaring problems with CFAA by <a href="https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9005">sending an email to Congress now</a>.</p>
<p></p><center><img src="https://www.eff.org/files/cfaa-tos-600.png" /></center>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Rebooting%20Computer%20Crime%20Law%20Part%201%3A%20No%20Prison%20Time%20For%20Violating%20Terms%20of%20Service%20%20%20&amp;url=https%3A//www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-part-1-no-prison-time-for-violating-terms-of-service&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Rebooting%20Computer%20Crime%20Law%20Part%201%3A%20No%20Prison%20Time%20For%20Violating%20Terms%20of%20Service%20%20%20&amp;u=https%3A//www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-part-1-no-prison-time-for-violating-terms-of-service" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-part-1-no-prison-time-for-violating-terms-of-service" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Rebooting%20Computer%20Crime%20Law%20Part%201%3A%20No%20Prison%20Time%20For%20Violating%20Terms%20of%20Service%20%20%20&amp;url=https%3A//www.eff.org/deeplinks/2013/01/rebooting-computer-crime-law-part-1-no-prison-time-for-violating-terms-of-service" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 04 Feb 2013 18:56:58 +0000Marcia Hofmann and rainey Reitman73109 at https://www.eff.orgCoders' Rights ProjectTerms Of (Ab)UseComputer Fraud And Abuse Act ReformThe 2012 DMCA Rulemaking: What We Got, What We Didn’t, and How to Improve the Process Next Timehttps://www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal">Last week the Librarian of Congress issued his <a href="http://www.copyright.gov/fedreg/2012/77fr65260.pdf">final decision</a> (pdf) limiting copyright owners’ ability to sue you for making full use of the works you buy. The short version: it’s a mixed bag. On one hand, the Librarian looked to the future, broadening existing exemptions for extracting clips from DVDs to include clips from movies distributed online, as well. At the same time, the Librarian refused to expand an exemption for "jailbreaking" smartphones to include the smartphone’s cousin, the tablet, even though there is little practical difference between the two devices. Equally illogically, the Librarian refused to grant an exemption for jailbreaking video game consoles.</p>
<p class="MsoNormal">Now the long version. </p>
<p class="MsoNormal">In case you haven’t been following this triennial process, here’s some background: The Digital Millennium Copyright Act prohibits "circumventing" digital rights management (DRM) and other "technological measures" used to protect copyrighted works. While this ban was meant to deter copyright infringement, the law is misused to chill innovation, free speech and fair use. The one ray of light: every three years the U.S. Copyright Office convenes a "rulemaking" to consider granting exemptions to the DMCA's ban on circumvention to mitigate the harms the law has caused to legitimate non-infringing uses of copyrighted materials. The Copyright Office pores over exemption proposals submitted by the public, weighs the pros and cons, and then offers recommendations to the Librarian of Congress, who ultimately grants or denies the exemptions.</p>
<p class="MsoNormal">In the 2012 rulemaking, EFF asked the Librarian to protect the jailbreaking of smartphones, electronic tablets, and video game consoles—liberating them to run operating systems and applications from any source, not just those approved by the manufacturer. EFF also asked for legal protections for artists and critics who use excerpts from DVDs or downloading services to create new, remixed works. Our goal was to build on and expand exemptions that EFF won in the 2009 rulemaking proceeding for jailbreakers and remix artists. Other groups similarly sought to build on exemptions for education uses, filmmaking, and multimedia e-books. </p>
<p class="MsoNormal">Hundreds of pages of material for and against these exemptions were submitted to the Copyright Office, including a petition with more than 27,000 signatures in support of the proposed jailbreaking exemptions. Then, this past summer, witnesses gathered in several days of hearings on both coasts. The Office heard from industry representatives and proponents, of course, but equally if not more important was the testimony from users who would be directly affected, such as vidders <a href="http://www.rebelliouspixels.com">Jonathan McIntosh</a> and <a href="http://tishaturk.dreamwidth.org">Tisha Turk</a>, and software developer Brad Lassey from <a href="https://www.mozilla.org">Mozilla</a>.</p>
<p class="MsoNormal"><b>The Video Exemptions</b></p>
<p class="MsoNormal">Until 2009, the only people allowed to circumvent DVD encryption for fair use purposes were film and media studies professors. In 2009, that category was expanded to include all college and university professors, film and media studies students, documentary filmmakers, and noncommercial vidders. Now the Librarian has expanded it further, covering K-12 educators, all college students, multimedia e-book authors, and professionals who have been commissioned to make videos for nonprofit purposes. The new exemption also permits breaking encryption on online content, not just DVDs. That’s a big win for fair use creativity, and we are proud to have helped make it happen. </p>
<p class="MsoNormal">Also satisfying: the Register of Copyrights rightly rejected Hollywood’s claim that vidders and others should be happy to make do with the limited, pre-selected set of clips available for licensing, and/or low-quality clips generated by screen capture programs. On the first point, you shouldn’t need a license to engage in a fair use. And as Tisha Turk pointed out regarding screen capture:</p>
<blockquote><p class="MsoNormal">One of the first rules of video editing is <i>garbage in, garbage out:</i> it’s easy to degrade source quality but impossible to improve it. If I start from images that are blurred or pixellated or otherwise compromised, then the best I’m going to end up with is a mess, and if my video is a mess then I can't make the points I want to make, either because people won't watch the video or because they literally won't be able to see what I'm trying to say.</p>
</blockquote>
<p class="MsoNormal">Hollywood wouldn’t settle for low-quality source material, and neither should remix artists or their audiences. Happily, the Register got the point, and refused to treat remix artists as second-class creators.</p>
<p class="MsoNormal">But plenty of limits remain. For example, the user may take only a “short portion” of the original work for purposes of criticism and commentary and she must reasonably believe she needs to break the DRM to accomplish that purpose. Much worse, the exemption doesn’t extend to breaking encryption on HD or Blu-Ray disks, and fictional filmmakers are simply out of luck.</p>
<p class="MsoNormal">And <i>this exemption does not affect toolmakers</i>—i.e., those who develop and provide the tools that make circumventing encryption possible. Yep, that’s right—the DMCA only authorizes exemptions for breaking encryption for otherwise lawful purposes; there’s no parallel provision for creating and distributing the tools that make it possible (though other provisions of the DMCA may protect those activities). So you can use DVD-ripping programs, but you can’t make ‘em.</p>
<p class="MsoNormal">Finally, even though the Librarian affirmed yet again that using short portions of a movie for purposes of criticism or comment in a noncommercial video is a fair use, Hollywood can still use tools like YouTube’s Content I.D. system to take down such videos with the flip of a switch.</p>
<p class="MsoNormal"><b>The Jailbreaking Exemptions</b></p>
<p class="MsoNormal">In 2009, EFF won an exemption allowing users to modify smartphones so that they could install independent software not necessarily authorized by the phone's manufacturer, carrier, or platform provider—a process known as “jailbreaking” for iPhones and “rooting” for Android phones. This time, we asked the Librarian not only to renew this exemption, but expand it to cover tablets. This shouldn’t have been a hard sell: in all important respects, tablets are simply larger mobile devices, right down to using the same access controls to restrict the programs users can install. They just aren’t marketed as phones, even though <a href="http://www.squidoo.com/tablet-phone">they can also be used to make calls</a>. </p>
<p class="MsoNormal">The good news is that the Librarian renewed EFF’s exemption request for smartphones, relying on the Copyright Office’s finding that jailbreaking is a fair use. The Copyright Office noted in particular that the 2009 exemption hasn’t harmed the market for smartphones, and the renewal may even “make smartphones more attractive to consumers.” Score one for jailbreakers. (Unfortunately, as with the video exemptions, this carve-out applies only to tool-users, not tool-makers. That means you can rely on this exemption to jailbreak your phone, but not to distribute jailbreaking code to others.)</p>
<p class="MsoNormal">The bad news is that the Librarian refused to extend the exemption to tablets, claiming it was too hard to know which devices fall within this category. This is disappointing because the access controls on tablets and smartphones raise identical problems for consumers, and there is no reason why users should face DMCA liability for jailbreaking one but not the other—especially as the functionality of these devices continues to blur.</p>
<p class="MsoNormal">EFF separately asked that an exemption be granted for users to jailbreak video game consoles so that academic researchers and independent “homebrew” developers can take full advantage of their consoles’ potential without risk of DMCA liability. The Librarian denied this exemption after the Copyright Office expressed concern that jailbreaking even for legitimate uses would lead to more infringing activity. The Office was wrong, both on reasoning and policy. People who want to play infringing games aren’t going to be intimidated by a little additional DMCA liability. Absent an exemption, the only people hindered by the DMCA threat are legitimate users like researchers and independent software developers. </p>
<p class="MsoNormal">More generally, if you buy a device—whether it’s a phone, a video game console, a tablet, or an e-book reader—it’s yours, and you should be able to run any software you like on it. There’s no principled reason to allow users this freedom on some devices, but not others. We hope that in future rulemakings, the Librarian will recognize this fact.</p>
<p class="MsoNormal"><b>Word to the Copyright Office: Time to Level the Field</b></p>
<p class="MsoNormal">EFF has participated in most of the rulemakings that have occurred since the DMCA was passed in 1998. We know first-hand the numerous procedural and practical obstacles to obtaining an exemption. It takes a major investment of time and resources—an investment that’s beyond the reach of most of the public. The Register of Copyrights and the Librarian of Congress would do well to go back to the drawing board and come up with a process, and a standard, that will help a broader array of concerned users to make their case for legitimate exemptions.</p>
<p class="MsoNormal">First, the process should be streamlined and simplified so that informed laypersons can meaningfully participate and make their cases for new exemptions. As it stands, the process tends to be dominated by legal experts (though laypeople may come in as witnesses). You shouldn't need an advanced degree (not to mention many hours of time) to seek to remove the DMCA shadow looming over your otherwise lawful activities. </p>
<p class="MsoNormal">Second, the Register should revisit the long-standing policy of making the proponent of an exemption demonstrate the need for it every three years, during each and every rulemaking—no matter how obvious the need for the exemption is, or how many times it’s been granted in the past. It’s absurd to automatically put the burden of proof on the people seeking an exemption under all circumstances, and it's not required by the DMCA. Once the Librarian grants an exemption, the burden should shift to those who oppose it to show in future rulemakings why it isn’t needed anymore.</p>
<p class="MsoNormal">Finally, the Copyright Office should be more receptive to granting exemptions for innovative uses of new and emerging technologies. The fact that an exemption was granted for smartphones but not tablets, even though they are virtually interchangeable devices with increasingly similar functionalities, shows that the rulemaking process doesn’t track the ways consumers are using those devices today. The exemption process should be designed to get the DMCA out of the way of otherwise legal, innovative uses happening <i>now</i>—not to leave a cloud of legal uncertainty to hang over the heads of users until a record can be built to “prove” how people have been using technology for several years.</p>
<p class="MsoNormal">EFF will keep fighting the good fight, but if the Copyright Office wants the rulemaking process to be truly meaningful, it needs to remove obstacles so that everyone with a legitimate need can effectively present their case. In the meantime, we thank our supporters, particularly the <a href="http://transformativeworks.org">Organization for Transformative Works</a>, the <a href="http://www.law.berkeley.edu/samuelsonclinic.htm">Samuelson Law, Technology and Public Policy Clinic</a>, <a href="http://www.newmediarights.org">New Media Rights</a>, <a href="https://www.mozilla.org">Mozilla</a>, <a href="bunniestudios.com">bunnie Huang</a>, and the thousands of people who contacted the Copyright Office to support our exemption requests. </p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/2012-dmca-rulemaking">2012 DMCA Rulemaking</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=The%202012%20DMCA%20Rulemaking%3A%20What%20We%20Got%2C%20What%20We%20Didn%E2%80%99t%2C%20and%20How%20to%20Improve%20the%20Process%20Next%20Time&amp;url=https%3A//www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=The%202012%20DMCA%20Rulemaking%3A%20What%20We%20Got%2C%20What%20We%20Didn%E2%80%99t%2C%20and%20How%20to%20Improve%20the%20Process%20Next%20Time&amp;u=https%3A//www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=The%202012%20DMCA%20Rulemaking%3A%20What%20We%20Got%2C%20What%20We%20Didn%E2%80%99t%2C%20and%20How%20to%20Improve%20the%20Process%20Next%20Time&amp;url=https%3A//www.eff.org/deeplinks/2012/11/2012-dmca-rulemaking-what-we-got-what-we-didnt-and-how-to-improve" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Fri, 02 Nov 2012 16:40:57 +0000Corynne McSherry and Marcia Hofmann72170 at https://www.eff.orgCommentaryInnovationCoders' Rights ProjectDRMVideo GamesFair Use and Intellectual Property: Defending the BalanceDigital VideoDMCADMCA RulemakingThanks for Supporting EFF in Las Vegas and Beyond!https://www.eff.org/deeplinks/2012/08/thanks-supporting-eff-las-vegas-and-beyond
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>We at the Electronic Frontier Foundation would like to thank everyone who took a moment to support our work this summer with a donation, a kind word, a name drop in your presentation, or a stop at an EFF talk at the <a href="https://www.blackhat.com">Black Hat USA</a>, <a href="http://www.securitybsides.com">Security BSidesLV</a>, and <a href="https://www.defcon.org">DEF CON</a> conferences in Las Vegas. We appreciate you stepping forward to recognize that there is a continuing battle to protect not only <a href="https://www.eff.org/issues/coders">Coders' Rights</a>, but online freedom for everyone. It's people like you that are helping EFF stem the tide of eroding civil liberties.</p>
<p><img src="https://www.eff.org/files/images_insert/DCXX-Mohawk.jpg" title="Buzzed for EFF - Mohawk-Con strikes again!" alt="Buzzed for EFF." class="align-right" height="172" hspace="5px" width="278" />EFF's online rights defense is largely funded by individuals making modest contributions. We aren't funded by tax dollars or client fees so we mean it when we say that every dollar in our humble donation bucket makes a difference. This annual Las Vegas excursion is meaningful to us in so many ways. It's become a tradition for many of you to <a href="https://www.eff.org/join">renew your EFF membership</a> at every DEF CON, <a href="https://www.eff.org/join">pick up the new member swag</a>, or find/create some other creative way to help the cause - like getting your summer mohawk!</p>
<p>The list of EFF supporters and allies in the infosec community is numerous, but we would like to mention a few of the folks who helped make this year so successful:</p>
<ul><li>Our <a href="https://www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou">D(EFF)CONtest participants</a>, and our contest sponsors and prize donors: DEF CON, Vegas 2.0, Ninja Networks<i>, </i>and <a href="https://www.isecpartners.com">iSEC Partners</a>;</li>
<li><a href="https://www.artemis.net/">Artemis</a> for matching donations at our Black Hat booth;</li>
<li>A special anonymous donor for matching donations at our BSides LV booth;</li>
<li><a href="https://www.facebook.com/pages/Vegas-20/114238798598737">Vegas 2.0</a> for launching the annual EFF fundraiser party <strong>theSummit</strong> and Google's <a href="http://www.dataliberation.org/">Data Liberation Front</a> for sponsoring their bar;</li>
<li>Our Beloved Goons for everything;</li>
<li><a href="http://ninjas.org">Ninja Networks</a> for always managing to impress and inspire with their creativity and innovative spirit. Thanks for devising an incentive to donate to EFF, donate blood, and register with <a href="http://www.marrow.org/JOIN/Join_in_Person/index.html">Be the Match</a>.</li>
<li><a href="http://eddietheyeti.deviantart.com">Eddie Mize</a> for directing some artwork proceeds to EFF AND for donating original artwork for auction;</li>
<li>Chris Hoff and his deliciously charitable FAIL Panel Waffles;</li>
<li>Stealth for running the Hackers and Guns firearms training simulation benefitting EFF;</li>
<li>The information desk staffers for taking up a collection for us;</li>
<li>Hacker Jeopardy for raising money for EFF (what beautiful challenge coins!);</li>
<li><a href="http://eff.org/r.p8p">Mohawk-Con</a> for jubilantly shaving attendees to support EFF, Hackers for Charity, and local hacker spaces;</li>
<li>And Dark Tangent and DEF CON for their <span>perennial</span> support and helping people understand the function we serve for the community.</li>
</ul><p>Just this week DEF CON took the charitable spirit further by making EFF a beneficiary of their <a href="http://gravitasrecordings.bandcamp.com/album/def-con-xx-compilation">name-your-price DCXX musical compliation</a>. We even spotted an <a href="http://www.ebay.com/itm/110932582602?ssPageName=STRK%3AMESELX%3AIT&amp;_trksid=p3984.m1558.l2649">Artist Badge auction</a> for EFF! These are just some of the innovative independent fundraisers that we know about. We are grateful to everyone who found a way to support our work.</p>
<p><img src="https://www.eff.org/files/images_insert/General-Alexander.jpg" alt="General Keith Alexander" title="General Keith Alexander, NSA Director, with Dark Tangent." class="align-left" height="162" hspace="5px" width="228" />This special DEF CON anniversary included an appearance by National Security Agency chief General Keith Alexander, and we were pleased that attendees took the opportunity to voice their support for our long-running case against the <a href="https://www.eff.org/nsa">NSA's warrantless surveillance program</a>. Note General Alexander's <a href="http://www.defconkids.org">DEF CON Kids</a> shirt and the lovely logo on his sleeve! You can see some of our favorite photos from this year on <a href="https://www.facebook.com/media/set/?set=a.10150945572596946.407744.97703891945">Facebook</a> and <a href="https://eff.org/r.a9h8">Google+</a>.</p>
<p>Donors like you have funded our activism and our work in the courts every day. <b>Thank you </b>for helping us change the game.</p>
<p>* * *</p>
<p><strong>Update 8/16/2012:</strong> We have read with a lot of interest <a href="https://www.schneier.com/blog/archives/2012/08/sexual_harassme.html">Bruce Schneier</a> and <a href="https://adainitiative.org/2012/08/defcon-why-conference-harassment-matters/">Valerie Aurora</a>'s thoughtful blog posts and the comments posted there. EFF recognizes that defending rights in the digital world means more than just standing up for abstract principles. It means supporting the users and developers who want to make technology better. EFF wants to do everything in our capacity to ensure that individuals at EFF-related events are respected and protected from harassment.</p>
<p>We appreciate the many individuals who dedicate their time at DEF CON and other conferences to fundraise for EFF. Their contributions are vital to our work. But we are deeply concerned by the reports of harassment and other inappropriate behavior at some EFF-related events. Harassment and assault at events like DEF CON and fundraisers for EFF run contrary to our mission.</p>
<p>We are actively discussing the various things EFF can do to take a leadership role in creating a more welcoming environment for women at DEF CON and all of the conferences we attend. To assist us, we have been working with the Ada Initiative, a non-profit with expertise in supporting women in open technology and culture.</p>
<p>As we work through this process, we encourage anyone to send recommendations and other feedback to <a href="mailto:kellie@eff.org">kellie@eff.org</a>. Thanks in advance for your help.</p>
<p><strong>Update 8/23/2012:</strong> There are a couple of incorrect claims floating around in the midst of this story and we at EFF want to make sure the record is clear.</p>
<div id="c856360">
<p>1) The Summit party is thrown <i>to benefit</i> EFF, not <i>by</i> EFF, and we're grateful to the organizers. There was an incident in 2011, unfortunately, of a guest harassing another guest. We know the woman who was harassed. <a href="http://www.schneier.com/blog/archives/2012/08/sexual_harassme.html#c846530" rel="nofollow">Here</a>, the co-host of the party talks about what happened and how upset she is that it happened. This incident was the one of the incidents that led to the creation of the color cards this year and we supported that effort too.</p>
<p>2) EFF has never hired any strippers for any party. Period. The two women who we think are being referred to (it's not clear) are longtime Defcon participants who help run the Hacker Jeopardy event. This is a different event from the Summit party. Hacker Jeopardy did donate money to EFF this year, but the event is not run by EFF either, and we understand that these women decided for themselves (as it should be for all women and men) what to wear or not at the event.</p>
<p>3) EFF brings many women to Defcon every year. We're speakers, we work at the booths and we work hard both at the conference and before it to ensure that hackers of all genders are free to hack and speak freely at Defcon and beyond. A safe atmosphere at Defcon -- for everyone -- is important to us. As we mentioned last week, we're working to help ensure that this is the case at Defcon and at every conference we attend.</p>
</div>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Thanks%20for%20Supporting%20EFF%20in%20Las%20Vegas%20and%20Beyond%21&amp;url=https%3A//www.eff.org/deeplinks/2012/08/thanks-supporting-eff-las-vegas-and-beyond&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Thanks%20for%20Supporting%20EFF%20in%20Las%20Vegas%20and%20Beyond%21&amp;u=https%3A//www.eff.org/deeplinks/2012/08/thanks-supporting-eff-las-vegas-and-beyond" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/08/thanks-supporting-eff-las-vegas-and-beyond" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Thanks%20for%20Supporting%20EFF%20in%20Las%20Vegas%20and%20Beyond%21&amp;url=https%3A//www.eff.org/deeplinks/2012/08/thanks-supporting-eff-las-vegas-and-beyond" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 09 Aug 2012 22:06:25 +0000Aaron Jue and Kellie Brownell71534 at https://www.eff.orgAnnouncementCoders' Rights ProjectPeru’s Online Crime Bill Harms Innovation and Privacyhttps://www.eff.org/deeplinks/2012/07/peru-online-crime-bill-chills-innovation-and-impacts-privacy
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The Peruvian National Anthem proudly proclaims: “We are free! May we always be so!” Yet the Peruvian Congress is considering a sweeping new computer <a href="http://www.mtc.gob.pe/portal/comunicacion/politicas/normaslegales/Aprueban%20la%20Norma%20que%20establece%20medidas%20destinadas%20a%20salvaguardar%20el%20derecho%20a%20la%20inviolavilidad%20y%20el%20secreto%20de%20las%20telecomunicaciones.pdf">crime bill</a> that threatens the privacy and online free expression of law-abiding Peruvians. Peruvians should stand against this ill-conceived bill that will place limits on what they are allowed to do with their own computers. Peruvians should take a cue from <a href="http://openmedia.ca/blog/guest-blog-cippic-tech-lawyer-tamir-israel-debunks-government-myths-online-spying">Canadians</a>, who mobilized resistance against its online surveillance bill earlier this year.</p>
<p>The bill's current word<a>s</a> for security experts working to expose security flaws. As currently written, the bill threatens coders’ ability to access information systems for security testing without explicit permission. If the Peruvian Congress moves to enact this bill as currently written, Peruvian engineers who study others’ systems for legitimate security research and testing may become criminals. A bill like this threatens the ability of new, engineering-driven companies to develop a wide range of innovative third-party applications and platforms that are capable of interacting and interoperating with online companies. It also shuts down the possibility of fostering a local security industry that seeks to responsibly report security vulnerabilities, so as to improve security of Peru’s critical infrastructure.</p>
<p>The bill also threatens the privacy of law-abiding Peruvians. The Peruvian government plans to give police and prosecutors greater online surveillance powers to collect personal identifiers—including IP addresses, mobile device identifiers, and device owner's names—by excluding these identifiers from its current constitutional and regulatory framework protections.</p>
<p>Personal identifiers (such as IP addresses) when linked to another piece of information can reveal far more sensitive information than ever before, such as online identities, activities, social contacts, and location trails. Once an IP address is linked to an individual, it becomes easy to construct a dossier that can be profiled, mined, and analyzed. Mobile device identifiers also disclose a vast amount of personal information. New technologies can easily track people’s mobile devices to reveal their locations, this is why effective legal safeguards and check and balance are needed.</p>
<p>While the bill explicitly states its intention to exclude Peruvians’ IP addresses and other identifiers from constitutional protection, it also compels telecommunications and Internet companies to hand over these identifiers to law enforcement and prosecutors upon a judge’s authorization. This murky landscape shouldn't be murky: Personal identifiers should keep enjoying the same level of protection as currently guaranteed by the Peruvian Constitution and other regulatory frameworks, including its judicial guarantee.</p>
<p>In sum, the Peruvian Congress should postpone voting on the bill, and hold an open and democratic debate. This bill, as currently written, converts legitimate activities of ordinary people into "criminal" activities. Moreover, it jeopardizes the rights of law-abiding Peruvian citizens and hinders the development of an innovative technology industry. Stay tuned: We will keep an eye on the overall proposal as the debate unfolds.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Peru%E2%80%99s%20Online%20Crime%20Bill%20Harms%20Innovation%20and%20Privacy&amp;url=https%3A//www.eff.org/deeplinks/2012/07/peru-online-crime-bill-chills-innovation-and-impacts-privacy&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Peru%E2%80%99s%20Online%20Crime%20Bill%20Harms%20Innovation%20and%20Privacy&amp;u=https%3A//www.eff.org/deeplinks/2012/07/peru-online-crime-bill-chills-innovation-and-impacts-privacy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/07/peru-online-crime-bill-chills-innovation-and-impacts-privacy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Peru%E2%80%99s%20Online%20Crime%20Bill%20Harms%20Innovation%20and%20Privacy&amp;url=https%3A//www.eff.org/deeplinks/2012/07/peru-online-crime-bill-chills-innovation-and-impacts-privacy" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 31 Jul 2012 20:46:14 +0000Katitza Rodriguez71371 at https://www.eff.orgPolicy AnalysisInnovationCoders' Rights ProjectInternationalPrivacyLocational PrivacySecurityElusive FinFisher Spyware Identified and Analyzedhttps://www.eff.org/deeplinks/2012/07/elusive-finfisher-spyware-identified-and-analyzed
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>The FinFisher spyware, produced by the UK-based Gamma Group, has been for years as elusive as it was notorious. Since protesters found <a href="https://www.f-secure.com/weblog/archives/00002114.html">FinFisher company records</a> in an abandoned Egyptian state security building last year, security researchers and activists around the world have been eager to get their hands on a copy of the tools in the FinFisher suite, especially the component called FinSpy. FinSpy has been the subject of particular interest because of its <a href="https://www.f-secure.com/weblog/archives/00002114.html">ability to wiretap calls made over the Skype network</a>, which is widely used among activists all over the world, often in the belief that it is more secure than other forms of communication.</p>
<p>Now for the first time, a copy of the spyware has been publicly analyzed. Morgan Marquis-Boire, a security researcher at <a href="https://citizenlab.org/">Citizen Lab</a>, and Bill Marczak, a founding member of Bahrain Watch, have published <a href="http://www.bloomberg.com/news/2012-07-25/cyber-attacks-on-activists-traced-to-finfisher-spyware-of-gamma.html">an in-depth analysis of FinSpy</a> after obtaining a copies of the program used to target pro-democracy activists.<a class="see-footnote" id="footnoteref1_t7p2cbp" title="Marquis-Boire has also co-written several entries on this site analyzing reports of Syrian government malware." href="#footnote1_t7p2cbp">1</a> The targeted activists were each involved with the <a href="http://bahrainwatch.org/index.html">government transparency organization Bahrain Watch</a>, but were located in different cities around the world. The spyware was included in targeted attachments that purported to come from an Al-Jazeera journalist and contain pictures and information about current events in Bahrain.</p>
<p>It's not clear that Bahrain Watch was being targeted specifically. "The malware seemed to have targeted people who are involved in activist organizations, particularly activists who have significant contacts outside of Bahrain," said Marczak.</p>
<p>The activists were suspicious of the email attachments they had received and <a href="http://www.bloomberg.com/news/2012-07-25/cyber-attacks-on-activists-traced-to-finfisher-spyware-of-gamma.html">passed the files along to Bloomberg News</a>, which turned them over to Marquis-Boire. In addition to posting materials on the Citizen Lab site, he will be presenting the results of his analysis at the BlackHat security conference today in Las Vegas. Perhaps the most notable difference Marquis-Boire has revealed between FinSpy and less sophisticated malware tools like those used by the Syrian government is the way in which this software was designed to defy analysis: not only was FinSpy actively avoiding detection by anti-virus programs, but it was also heavily "booby-trapped," causing many of the most popular debugging programs to crash during attempts to analyze and identify the code.</p>
<p>Gamma and FinFisher have come under heavy international scrutiny for their apparent willingness to export sophisticated surveillance technologies to oppressive government regimes. Hosni Mubarak's government in Egypt is just one example. <a href="https://www.privacyinternational.org/press-releases/privacy-international-commences-legal-action-against-british-government-for-failure">According to Privacy International</a>, "there is also evidence that this technology has been deployed in Turkmenistan, a one-party state that Human Rights Watch labelled 'one of the world's most repressive countries' in March 2012." Privacy International is currently engaged in <a href="https://www.privacyinternational.org/press-releases/privacy-international-commences-legal-action-against-british-government-for-failure">legal action against the British government</a>. The action arose after Privacy International issued repeated requests for information about why the government has chosen not to exercise its powers under the Export Control Act of 2002 to restrict sales of technical goods or services to governments that could be used to commit human rights abuses. FinFisher's products appear to fall into that category.</p>
<p>Similarly, EFF has been calling for companies that produce surveillance technology to adopt <a href="https://www.eff.org/deeplinks/2011/10/it%E2%80%99s-time-know-your-customer-standards-sales-surveillance-equipment/">"Know Your Customer" standards</a>, like those required by Foreign Corrupt Practices Act and other export regulations, and avoid becoming "repression's little helper." An EFF white paper from April of this year, "<a href="https://www.eff.org/document/human-rights-and-technology-sales">Human Rights and Technology Sales</a>," addresses the problem in greater depth.</p>
<p>For its part, FinFisher has chosen to <a href="https://www.eff.org/deeplinks/2012/02/spy-tech-companies-their-authoritarian-customers-part-i-finfisher-and-amesys">hide behind claims of client confidentiality</a>. In an article in the <em>Wall Street Journal</em> last year, a lawyer for Gamma said it "<a href="http://online.wsj.com/article/SB10001424052702304520804576345970862420038.html">cannot otherwise comment upon its confidential business transactions or the nature of the products it offers.</a>" But promotional materials, obtained through the files discovered in Egypt and through Wikileaks releases, are more forthcoming. <a href="http://owni.eu/2011/12/15/finfisher-for-all-your-intrusive-surveillance-needs/">As reported by OWNI</a>, one 2007 presentation boasted of "Black Hat Hacking tactics to enable Intelligence Agencies to gather information from target systems that would be otherwise extremely difficult to obtain legally."</p>
<p>Citizen Lab has provided a set of straightforward recommendations that advise against opening unsolicited attachments, even from links that appear to be from friends. And now that security researchers have obtained a copy of FinSpy, work can begin on preparing tools that can detect and remove the program from infected computers.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_t7p2cbp"><a class="footnote-label" href="#footnoteref1_t7p2cbp">1.</a> Marquis-Boire has also co-written several entries on this site analyzing reports of Syrian government malware.</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Elusive%20FinFisher%20Spyware%20Identified%20and%20Analyzed&amp;url=https%3A//www.eff.org/deeplinks/2012/07/elusive-finfisher-spyware-identified-and-analyzed&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Elusive%20FinFisher%20Spyware%20Identified%20and%20Analyzed&amp;u=https%3A//www.eff.org/deeplinks/2012/07/elusive-finfisher-spyware-identified-and-analyzed" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/07/elusive-finfisher-spyware-identified-and-analyzed" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Elusive%20FinFisher%20Spyware%20Identified%20and%20Analyzed&amp;url=https%3A//www.eff.org/deeplinks/2012/07/elusive-finfisher-spyware-identified-and-analyzed" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 25 Jul 2012 22:54:18 +0000Parker Higgins71311 at https://www.eff.orgFree SpeechCoders' Rights ProjectInternationalPrivacySecurityState-Sponsored MalwareMeet With EFF Attorneys in Las Vegas to Discuss Your Security Researchhttps://www.eff.org/deeplinks/2012/07/meet-eff-attorneys-las-vegas
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Thousands of security researchers, information security professionals and hackers descend on Las Vegas each summer for a trio of conferences: <a href="https://www.blackhat.com/">Black Hat USA</a>, <a href="https://www.defcon.org/">DEF CON</a>, and <a href="http://www.securitybsides.com/w/page/51614272/BSidesLV%202012">BSides Las Vegas</a>. We launched our <a href="https://www.eff.org/issues/coders">Coders' Rights Project</a> at Black Hat four years ago to help programmers and developers navigate the murky laws surrounding security research. Every year since then, <span>our attorneys have been on hand in Las Vegas to provide legal information on reverse engineering, vulnerability reporting, copyright law, free speech, and more, and we're thrilled to return again this summer.</span></p>
<p><span>If you'd like to make an appointment to speak with EFF attorneys at Black Hat, DEFCON or BSides Las Vegas, <a href="mailto:info@eff.org">contact us</a> by <strong>Wednesday</strong>, <strong>July 18</strong>, with the name of the conference in the subject line. </span><span>If we can't assist you for any reason, we'll make every effort to put you in touch with a lawyer who can. </span></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Meet%20With%20EFF%20Attorneys%20in%20Las%20Vegas%20to%20Discuss%20Your%20Security%20Research&amp;url=https%3A//www.eff.org/deeplinks/2012/07/meet-eff-attorneys-las-vegas&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Meet%20With%20EFF%20Attorneys%20in%20Las%20Vegas%20to%20Discuss%20Your%20Security%20Research&amp;u=https%3A//www.eff.org/deeplinks/2012/07/meet-eff-attorneys-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/07/meet-eff-attorneys-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Meet%20With%20EFF%20Attorneys%20in%20Las%20Vegas%20to%20Discuss%20Your%20Security%20Research&amp;url=https%3A//www.eff.org/deeplinks/2012/07/meet-eff-attorneys-las-vegas" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 10 Jul 2012 17:50:54 +0000Marcia Hofmann71193 at https://www.eff.orgAnnouncementCoders' Rights ProjectAnd the D(EFF)CONtest 2012 Winner Is...You!https://www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="https://www.eff.org/join"><img src="https://w2.eff.org/images/newsletter/defcon18/coders-join.png" alt="Support Coders' Rights With EFF!" align="right" border="0" hspace="10px" /></a>Thank you to all of this year's D(EFF)CONtestants and to the individuals who donated in support of digital civil liberties! <strong>We topped last year's fundraising total bringing in $8,572 — well done!</strong> Every penny helps fund the legal briefs, research, educational resources, and activism campaigns necessary to protect freedom online, so in that sense we are all winners here. In a more immediate sense, here are the winners who will walk away with some super-1337 prizes:</p>
<p><strong>Grand Prize Winner: <a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=59">ArmyTra1n3d</a>!</strong><br />
Congratulations! Your training paid off. You've won a suite at the Rio Hotel and Casino, two DEF CON 20 Human badges, two tickets to Vegas 2.0's (in)famous kickoff party theSummit, two badges for the ultra-exclusive Ninja Networks Party, two passes to the iSEC Partners party, AND an EFF Swag Super Pack!</p>
<p><strong>Second Place Winner: <a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=42">InfoSec Daily Podcast (ISDPodcast)</a>!</strong><br />
Way to go! ISDPodcast, winner of last year's contest, will receive two DEF CON 20 Human badges, two tickets to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack!</p>
<p><strong>Third Place Winner: <a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=38">The Holy Handgrenades</a>!</strong><br />
Sweet! THH will receive one DEF CON 20 Human badge, one ticket to the Vegas 2.0 Party, two passes to the iSEC Partners party, and an EFF Swag Super Pack! This is The Holy Handgrenades third year winning our third prize — that's quite the trinity!</p>
<p>And that's not all! We will award an exclusive EFF DEF CON 20 <a href="http://youtu.be/nLnIaNFGViw">Script Kitty</a> t-shirt to ALL fundraising captains who raised more than $500! This limited run of 500 shirts is coming off of the website and will only be available in Las Vegas this summer! All prize winners will be contacted via email.</p>
<p>EFF remains a powerful voice in online rights battles thanks to your <a href="https://www.eff.org/join">financial support</a> and <a href="https://eff.org/action">personal action</a>. On behalf of the entire EFF team, <i>thank you</i>.</p>
<p><b>Thanks to our D(EFF)CONtest Prize Donors:</b></p>
<ul><li>Dark Tangent and <a href="http://www.defcon.org/">DEF CON</a></li>
<li><a href="https://www.facebook.com/events/172338912893097">Vegas 2.0</a></li>
<li><a href="http://ninjas.org/">Ninja Networks</a></li>
<li><a href="http://www.isecpartners.com">iSEC Partners</a></li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=And%20the%20D%28EFF%29CONtest%202012%20Winner%20Is...You%21&amp;url=https%3A//www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=And%20the%20D%28EFF%29CONtest%202012%20Winner%20Is...You%21&amp;u=https%3A//www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=And%20the%20D%28EFF%29CONtest%202012%20Winner%20Is...You%21&amp;url=https%3A//www.eff.org/deeplinks/2012/07/and-deffcontest-2012-winner-isyou" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 05 Jul 2012 19:33:08 +0000Aaron Jue71156 at https://www.eff.orgAnnouncementCoders' Rights ProjectSpeak With EFF Attorneys at HOPE Number 9https://www.eff.org/deeplinks/2012/07/speak-eff-attorneys-hope-number-9
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="http://www.hopenumbernine.net/">HOPE Number Nine</a> is fast approaching, and EFF staff members are excited to give a <a href="https://www.eff.org/deeplinks/2012/06/eff-hackers-planet-earth">slew of talks</a> on everything from drones to location privacy to privacy tricks for web developers. We'll also have attorneys on site to provide information about reverse engineering, vulnerability reporting, copyright, free speech, and more.</p>
<p>If you're planning to attend HOPE Number 9 and you'd like to set up an appointment to speak with us there, please <a href="mailto:info@eff.org">contact us</a> by <strong>Monday, July 9</strong>. If you'd like to discuss any concerns about talks you plan to give at HOPE, <a href="mailto:info@eff.org">let us know</a> by <b>Friday, July 6</b>. If we can't assist you, we'll make every effort to put you in touch with an attorney who can.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Speak%20With%20EFF%20Attorneys%20at%20HOPE%20Number%209&amp;url=https%3A//www.eff.org/deeplinks/2012/07/speak-eff-attorneys-hope-number-9&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Speak%20With%20EFF%20Attorneys%20at%20HOPE%20Number%209&amp;u=https%3A//www.eff.org/deeplinks/2012/07/speak-eff-attorneys-hope-number-9" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/07/speak-eff-attorneys-hope-number-9" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Speak%20With%20EFF%20Attorneys%20at%20HOPE%20Number%209&amp;url=https%3A//www.eff.org/deeplinks/2012/07/speak-eff-attorneys-hope-number-9" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 03 Jul 2012 05:06:04 +0000Marcia Hofmann71136 at https://www.eff.orgAnnouncementCoders' Rights ProjectOne More Week to Win the D(EFF)CONtest!https://www.eff.org/deeplinks/2012/06/one-more-week-win-deffcontest
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><a href="https://supporters.eff.org/defcontest"><img alt="Protect Coders' Rights!" src="https://www.eff.org/files/images_insert/DC20-Shirt.jpg" title="DEF CON 20 Script Kitty Shirts Online Until July 5th!" class="align-right" border="0" height="214" hspace="5px" width="128" /></a>D(EFF)CONtestants have until <strong>Wednesday, July 4, 2012 at 11:59:59 PM PDT</strong> to claim one of the top prizes in our third annual <a href="https://www.eff.org/defcon">DEF CON fundraising contest</a>! Included with <a href="https://www.eff.org/deeplinks/2012/05/third-annual-deffcontest-begins">this year's l33t loot</a> for the top three: a stay at the Rio Hotel and Casino, DEF CON 20 Human Badges, Ninja Party badges, and passes to theSummit. In addition, every D(EFF)CONtestant who encourages their peers to raise at total of $500 or more will automatically receive a limited edition EFF DEF CON 20 Script Kitty t-shirt! So far, D(EFF)CONtestants have raised more than $5,000 to promote Coders' Rights and support freedom for all!</p>
<p><strong>Why should you care about funding digital civil liberties protection?</strong> Donations to EFF make a difference. Every membership helps us advocate for online freedom and shed light on unjust policies <a href="https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=8229">in the U.S.</a>, <a href="https://www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems">in the European Union</a>, and <a href="https://www.eff.org/deeplinks/2012/06/biometrics-national-id-passports-false-sense-security">all over the world</a>. Right now nearly 20,000 EFF donors are sustaining significant work ranging from our <a href="https://defendinnovation.org">patent reform campaign</a> to <a href="https://www.eff.org/nsa">fighting warrantless surveillance</a> to the defense of online comic artist <a href="https://www.eff.org/press/releases/eff-will-represent-oatmeal-creator-fight-against-bizarre-lawsuit-targeting-critical">Matthew Inman of The Oatmeal</a>. You ensure that EFF is there when we all need it. And the swag is pretty sweet, too! It's your last chance to get the exclusive DC20 Script Kitty t-shirt online because <em>after the contest, they're coming down</em>!</p>
<p><strong>How can you help the cause?</strong> Start by visiting any one of the D(EFF)CONtest team pages and clicking the "Donate Now" button:</p>
<ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=47" target="_blank" title="View Personal Campaign Page">WiredScience</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=51" target="_blank" title="View Personal Campaign Page">Wind</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=38" target="_blank" title="View Personal Campaign Page">The Holy Handgrenades</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=46" target="_blank" title="View Personal Campaign Page">Teamslack</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=39" target="_blank" title="View Personal Campaign Page">Team Yogert</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=48" target="_blank" title="View Personal Campaign Page">Team Tardigrade</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=53" target="_blank" title="View Personal Campaign Page">Team Rocket</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=34" target="_blank" title="View Personal Campaign Page">Team JAIT</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=55" title="View Personal Campaign Page" target="_blank">Team Frabulous</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=49" target="_blank" title="View Personal Campaign Page">Team Cetus</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=33" target="_blank" title="View Personal Campaign Page">Seeds of Epiphany</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=27" target="_blank" title="View Personal Campaign Page">Right to Encrypted Content Liberation Movement<span> </span></a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=40" target="_blank" title="View Personal Campaign Page">Pixel</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=30" target="_blank" title="View Personal Campaign Page">Open Doors</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=50" target="_blank" title="View Personal Campaign Page">NotSurveil</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=35" target="_blank" title="View Personal Campaign Page">lanrofl</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=37" target="_blank" title="View Personal Campaign Page">Joshua Spain</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=42" target="_blank" title="View Personal Campaign Page">InfoSec Daily Podcast (ISDPodcast)</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=43" target="_blank" title="View Personal Campaign Page">https://Lockbin.com</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=45" target="_blank" title="View Personal Campaign Page">foolishBoys</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=41" target="_blank" title="View Personal Campaign Page">EMBX</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=52" target="_blank" title="View Personal Campaign Page">DefBluzCatz</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=44" target="_blank" title="View Personal Campaign Page">dc404</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=31" target="_blank" title="View Personal Campaign Page">Calyx Institute</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=54" target="_blank" title="View Personal Campaign Page">C3KC</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=29" target="_blank" title="View Personal Campaign Page">Boston Linux &amp; UNIX group at MIT</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=28" target="_blank" title="View Personal Campaign Page">Bitghost Security</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=36" target="_blank" title="View Personal Campaign Page">Awesomesauce</a></li>
<li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=32" target="_blank" title="View Personal Campaign Page">Alpheus125</a></li>
</ul><p>Thanks, everyone! Find more detalis about the contest at <a href="https://www.eff.org/defcon">https://www.eff.org/DEFCON</a> or email us at <a href="mailto:contest@eff.org">contest@eff.org</a>. There are just days left!</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=One%20More%20Week%20to%20Win%20the%20D%28EFF%29CONtest%21&amp;url=https%3A//www.eff.org/deeplinks/2012/06/one-more-week-win-deffcontest&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=One%20More%20Week%20to%20Win%20the%20D%28EFF%29CONtest%21&amp;u=https%3A//www.eff.org/deeplinks/2012/06/one-more-week-win-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/06/one-more-week-win-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=One%20More%20Week%20to%20Win%20the%20D%28EFF%29CONtest%21&amp;url=https%3A//www.eff.org/deeplinks/2012/06/one-more-week-win-deffcontest" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Thu, 28 Jun 2012 17:16:36 +0000Aaron Jue71100 at https://www.eff.orgAnnouncementCoders' Rights ProjectCoders' Rights At Risk in the European Parliamenthttps://www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p class="MsoNormal"><span>Coders have never been more important to the security of the Internet. By identifying and disclosing vulnerabilities, coders are able to improve security for every user who depends on information systems for their daily life and work. Yet this week, European Parliament <a href="http://www.europarl.europa.eu/ep-live/en/committees/video?event=20120621-0900-COMMITTEE-LIBE&amp;vodtype=Live%3E">will debate</a> a new draft of a vague and sweeping computer crime legislation that threatens to create <a href="https://www.eff.org/issues/coders">legal woes</a> for researchers who expose security flaws. </span></p>
<p class="MsoNormal"><span>On Thursday, the European Parliament will discuss the latest agreement between European Parliament and Council of a d</span><span>raft Directive on Attacks Against Information Systems</span><span>. In our <a href="https://www.eff.org/Directive-Attacks-against-Computer-Systems">submission</a> to the European Parliament earlier this year, EFF opposed the wholesale criminalization of tools that can be used to commit attacks against information systems. While they can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks. <a href="https://www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights">EFF also told the European Parliament</a> that their initial draft jeopardized coders' rights to conduct essential security research. The current version, while better, still doesn't address this problem.</span></p>
<p class="MsoNormal"><span>As currently written, the latest version of the Draft Directive </span><span>threatens</span><span> </span><span>coders’ ability to access information systems for security testing without explicit permission. If the European Parliament moves to enact this provision, researchers who study others’ systems in the course of good faith for legitimate research may become criminals.</span><b><i><span><br /></span></i></b></p>
<p class="MsoNormal"><span>Article 3 of the Draft Directive criminalizes intentional access to information systems without prior authorization where the actor infringes a security measure.<b> </b><span> </span>At the heart of the problem is the directive’s reliance on the concept of accessing information systems “without right,” which is defined as “access, interference, interception, or any other conduct referred to in this Directive, not authorized by the owner, other right holder of the system or part of it, or not permitted under national legislation.” </span></p>
<p class="MsoNormal"><span>The vague notion of “unauthorized access” has proved to be troublesome within the United States Computer Fraud and Abuse Act. For example, creative <a href="https://www.eff.org/deeplinks/2009/07/judge-overturns-lori">prosecutors</a> and litigants have argued in past cases that merely accessing a computer in violation of terms of use makes access “unauthorized,” and therefore a crime. That broad interpretation of the law would criminalize a great deal of innocuous activity. As the Ninth Circuit Court of Appeals recently pointed <a href="https://www.eff.org/cases/u-s-v-nosal">out</a>, “</span><span>By giving that much power to prosecutors, we're inviting discriminatory and arbitrary enforcement.</span><span>”</span></p>
<p class="MsoNormal"><span>The Directive’s caveat about punishing only activities that infringe a "security measure" is an improvement over previous draft language, and will hopefully ensure that merely violating terms of use can’t amount to <a href="https://www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime">unauthorized</a> <a href="https://www.eff.org/deeplinks/2009/07/judge-overturns-lori">access</a>.<span> </span>But the vagueness of the term "security measure" creates new problems. Does a user infringe a “security measure” when she stumbles across files in a hidden but <a href="https://www.eff.org/deeplinks/2011/11/carrieriq-censor-research-baseless-legal-threat">unprotected directory</a> on a website?<span> </span>Or when she changes her IP address to avoid an <a href="https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing">IP block</a>, even if for valid, legitimate reasons? </span></p>
<p class="MsoNormal"><span>Another major problem with the draft directive is Article 7, which criminalizes the production, sale, procurement, import, or distribution of tools used to access systems for committing other offenses. This new article rightly tries to link punishment to malicious intent behind using the tool, rather than simply criminalizing the use, production, sale, or distribution of such tools <i>per se</i>. By doing so, this article tries to avoid the criminalization of dual-use tools that can be used for bad purposes, but also for desirable security efforts to prevent and deter attacks. However, Article 7 remains problematic because it relies upon the murky definition of access “without right” and uses Article 3 as a reference for defining criminal intent, which, as we explained above, is vague. </span></p>
<p class="MsoNormal"><span>Another improvement is that the directive seeks to limit criminal punishment to cases that are “not minor.” However, the directive fails to explain what "minor" means in the text itself, leaving the option open for member states to define the term as they see fit.<span> </span>According to the directive’s present wording, maximum penalties for offenses (including distributing tool software) are at least 2 years of imprisonment, 3 years when using botnets and 5 years when committed in the context of organized crime, causing serious damage, or committed against a critical infrastructure.<br /></span></p>
<p class="MsoNormal"><span>Security researchers are a crucial part of any effective security strategy. Unfortunately, this directive creates a very real possibility that they may face serious criminal punishments for their work, which creates a strong disincentive for them to do it. While the directive’s legally non-binding recitals suggest a number of safeguards, including human rights, security testing, it is troubling that those protections are not included in the articles themselves. </span></p>
<p class="MsoNormal"><span>The European Union should implement a target-hardening strategy to provide strong incentives and support for security researchers to identify and disclose vulnerabilities and motivate providers to quickly issue patches and updates.<span> </span>Please tune in this <a href="http://www.europarl.europa.eu/ep-live/en/committees/video?event=20120621-0900-COMMITTEE-LIBE&amp;vodtype=Live%3E">Thursday at 11:00 am</a> Brussels time for a live stream of the directive debate in the European Parliament.<span> </span></span></p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Coders%27%20Rights%20At%20Risk%20in%20the%20European%20Parliament&amp;url=https%3A//www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Coders%27%20Rights%20At%20Risk%20in%20the%20European%20Parliament&amp;u=https%3A//www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Coders%27%20Rights%20At%20Risk%20in%20the%20European%20Parliament&amp;url=https%3A//www.eff.org/deeplinks/2012/06/eff-european-parliament-directive-attack-information-systems" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 20 Jun 2012 21:10:30 +0000Katitza Rodriguez and Marcia Hofmann71034 at https://www.eff.orgLegislative AnalysisCoders' Rights ProjectInternationalEFF EuropeThe D(EFF)CONtest Rages Onhttps://www.eff.org/deeplinks/2012/06/deffcontest-rages
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>With weeks left to go on our third annual fundraising contest, supporters have already raised over $4,000 in donations to help support EFF and the Coders’ Rights Project! Our thanks to <strong><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=38">The Holy Handgrenades</a></strong> leading the pack at $1,410.78, with last year’s Grand Prize Winners <strong><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=42">InfoSec Daily Podcast (ISDPodcast)</a></strong> at $801, followed closely by the <strong><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=44">dc404</a></strong> crew at $675. You’re doing great!<span> </span>EFF’s annual D(EFF)CONtest helps fund tireless legal defense, activism, counseling, and community education for professional security researchers and tinkerers alike. Through these donor-supported efforts, EFF stands behind everyone who values knowledge and the freedom to innovate.</p>
<p>You can help by donating to EFF through one of the D(EFF)CONtest teams listed below, or by <a href="https://www.eff.org/defcon">starting your own team today</a>! Fabulous prizes await the winners including a weekend stay at the Rio Hotel and Casino, DEF CON Human Badges, Ninja Party badges, passes to theSummit party, the iSEC Partners party, and EFF swag including our exclusive <a href="http://youtu.be/nLnIaNFGViw">DEF CON 20 Script Kitty</a> T-Shirt. Contestants unlock a Script Kitty Trophy at every $250 and one of the new shirts at $500!</p>
<p><a href="https://www.eff.org/files/images_insert/DEFCON20-Script-Kitty-Detail_0.jpg"><img src="https://www.eff.org/files/images_insert/DEFCON20-Script-Kitty2_0.jpg" alt="D(EFF)CONtest Script Kitty T-Shirt" title="Click for a closer look at Script Kitty's code." height="320" width="667" /></a></p>
<p>So if you can't go to Las Vegas this summer, get your limited edition DEF CON 20 Script Kitty T-Shirt online when you join or renew at the Gold Membership Level or higher. You can even reserve a spot at theSummit party with Vegas 2.0 and a host of security research luminaries. Start by visiting one of the D(EFF)CONtest team pages and clicking the "Donate Now" button:</p>
<ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=32" title="View Personal Campaign Page" target="_blank">Alpheus125</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=36" title="View Personal Campaign Page" target="_blank">Awesomesauce</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=28" title="View Personal Campaign Page" target="_blank">Bitghost Security</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=28" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=29" title="View Personal Campaign Page" target="_blank">Boston Linux &amp; UNIX group at MIT</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=31" title="View Personal Campaign Page" target="_blank">Calyx Institute</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=44" title="View Personal Campaign Page" target="_blank">dc404</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=44" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=44" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=41" title="View Personal Campaign Page" target="_blank">EMBX</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=41" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=45" title="View Personal Campaign Page" target="_blank">foolishBoys</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=45" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=43" title="View Personal Campaign Page" target="_blank">https://Lockbin.com</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=43" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=42" title="View Personal Campaign Page" target="_blank">InfoSec Daily Podcast (ISDPodcast)</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=42" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=37" title="View Personal Campaign Page" target="_blank">Joshua Spain</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=37" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=35" title="View Personal Campaign Page" target="_blank">lanrofl</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=35" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=50" title="View Personal Campaign Page" target="_blank">NotSurveil</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=50" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=30" title="View Personal Campaign Page" target="_blank">Open Doors</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=30" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=40" title="View Personal Campaign Page" target="_blank">Pixel</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=40" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=27" title="View Personal Campaign Page" target="_blank">Right to Encrypted Content Liberation Movement </a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=27" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=33" title="View Personal Campaign Page" target="_blank">Seeds of Epiphany</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=33" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=49" title="View Personal Campaign Page" target="_blank">Team Cetus</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=49" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=34" title="View Personal Campaign Page" target="_blank">Team JAIT</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=34" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=48" title="View Personal Campaign Page" target="_blank">Team Tardigrade</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=48" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=39" title="View Personal Campaign Page" target="_blank">Team Yogert</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=39" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=46" title="View Personal Campaign Page" target="_blank">Teamslack</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=46" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=38" title="View Personal Campaign Page" target="_blank">The Holy Handgrenades</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=26" title="View Personal Campaign Page" target="_blank"></a><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=51" title="View Personal Campaign Page" target="_blank">Wind</a></li>
</ul></ul><ul><ul><li><a href="https://supporters.eff.org/civicrm/pcp/info?reset=1&amp;id=47" title="View Personal Campaign Page" target="_blank">WiredScience</a></li>
</ul></ul><p>Thanks, everyone! Find more detalis about the contest at <a href="https://www.eff.org/defcon">https://www.eff.org/DEFCON</a> or email us at <a href="mailto:contest@eff.org">contest@eff.org</a>. The D(EFF)CONtest ends after 11:59:59 PDT on July 4, 2012, so there is still time to sign up and win. Go 1337 or Go Home!</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=The%20D%28EFF%29CONtest%20Rages%20On&amp;url=https%3A//www.eff.org/deeplinks/2012/06/deffcontest-rages&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=The%20D%28EFF%29CONtest%20Rages%20On&amp;u=https%3A//www.eff.org/deeplinks/2012/06/deffcontest-rages" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/06/deffcontest-rages" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=The%20D%28EFF%29CONtest%20Rages%20On&amp;url=https%3A//www.eff.org/deeplinks/2012/06/deffcontest-rages" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 12 Jun 2012 22:17:51 +0000Aaron Jue70920 at https://www.eff.orgAnnouncementCoders' Rights ProjectApple's Crystal Prison and the Future of Open Platformshttps://www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>Two weeks ago, Steve Wozniak <a href="http://www.itnews.com.au/News/300704,wozniak-calls-for-open-apple.aspx">made a public call</a> for Apple to open its platforms for those who wish to tinker, tweak and innovate with their internals.</p>
<p>EFF supports Wozniak's position: while Apple's products have many virtues, they are marred by an ugly set of restrictions on what users and programmers can do with them. This is most especially true of iOS, though other Apple products sometimes suffer in the same way. In this article we will delve into the kinds of restrictions that Apple, phone companies, and Microsoft have been imposing on mobile computers; the excuses these companies make when they impose these restrictions; the dangers this is creating for open innovation; why Apple in particular should lead the way in fixing this mess. We also propose a bill of rights that need to be secured for people who are purchasing smartphones and other pocket computers.</p>
<p>Apple's recent products, especially their mobile iOS devices, are like beautiful crystal prisons, with a wide range of restrictions imposed by the OS, the hardware, and Apple's contracts with carriers as well as contracts with developers. Only users who can hack or "jailbreak" their devices can escape these limitations.</p>
<p><b>[29th of May, 2012: we have added two updates to this post, <a href="#gatekeeper-update">here</a> and <a href="#uefi-update">here</a>]</b></p>
<h2>Locked down devices</h2>
<h3>iOS</h3>
<p>Apple changed the way we think about mobile computing with the iPhone, but they have also lead the charge in creating restrictive computers and restrictive marketplaces for software. You may have purchased an iPad, but unless you've exploited a vulnerability in iOS to jailbreak it, there are many things you cannot install on it. The App Store has thousands of apps to choose from, but your choices are limited to apps that both Apple has approved, and which can function without <a href="https://en.wikipedia.org/wiki/Superuser">"root" or "administrator"</a> privileges.</p>
<p>Apple has been known to reject or remove apps from sale because of their content (<a href="http://techcrunch.com/2010/12/20/apple-removes-wikileaks-app-from-app-store/">WikiLeaks app banned</a>, <a href="http://news.cnet.com/8301-13579_3-10247565-37.html">eBook reader with access to Kama Sutra banned</a>), for <a href="https://www.nytimes.com/2011/02/01/technology/01apple.html">not using Apple to process payments</a>, and for being capable of <a href="http://reviews.cnet.com/8301-19512_7-10277725-233.html">executing code that Apple can't approve</a>. While Apple's policies have improved in the the years since the iPhone first launched, the company still maintains total control over what apps are available to consumers. Unlike Android, iOS does not have an option to install apps from sources other than the App Store.<a class="see-footnote" id="footnoteref1_xkplyna" title="AT&amp;T used to impose a similar restriction on the Android-based devices that it sold, but ended those restrictions last year. Unfortunately, some device makers still are tempted to restrict their customers in similar ways." href="#footnote1_xkplyna">1</a> Apps that require administrative privileges are also impossible to install on an iOS device without jailbreaking it. This includes apps that let you tether your phone to a computer, change the look and feel of your phone's user interface, <a href="http://iphonemonsta.com/firewall-ip-iphone-ios-ipad-cydia-tweak">firewall</a> your device, secure your internet traffic with OpenVPN<a class="see-footnote" id="footnoteref2_sggxrlq" title="iOS offers some options for VPNs, but not OpenVPN. GuizmoOVPN is an open source OpenVPN client for jailbroken iOS devices." href="#footnote2_sggxrlq">2</a>, amongst many others. Jailbreaking also helps security and privacy researchers observe apps on their phones to see if they're leaking any private data.</p>
<p class="align-right">
<img src="/sites/default/files/images_insert/cydia.png" width="266" height="400" alt="The Cydia App Store for Jailbroken iPhones" title="The Cydia App Store for Jailbroken iPhones" /><br /><i>The Cydia App Store for Jailbroken iPhones</i></p>
<p>Many of these apps are readily available through <a href="https://en.wikipedia.org/wiki/Cydia_%28application%29">Cydia</a>, an alternative store for jailbroken iOS devices.</p>
<p>Additionally, because Apple modifies binaries before publishing apps in the App Store, open source apps released under the GNU General Public License cannot be published without the approval of all authors, which caused the popular media player VLC to get removed from sale. If you need VLC to play media that won't play with the built-in Video app, you can download it to your jailbroken device with freedom intact from Cydia, and the <a href="http://www.videolan.org/vlc/download-ios.html">source code is available</a> on their website.</p>
<p>Since jailbreaking is so useful, why doesn't Apple let their customers (or at least their <a href="https://mandatorytech.files.wordpress.com/2012/04/steve_jobs_wozniak_apple_computer.jpg?w=479">technically inclined</a> customers) do it? One reason is the profits from the App Store. Apple keeps 30% of the money from each app or in-app-purchase sold through its App Store. That means that for each 99 cent app sold, the developer gets 69.3 cents and Apple gets 29.7 cents. Cydia has <a href="http://www.washingtonpost.com/business/economy/once-the-hobby-of-tech-geeks-iphone-jailbreaking-now-a-lucrative-industry/2011/04/01/AFBJ0VpC_story.html">4.5 million weekly users and earns $10 million in annual revenue</a>, and Apple doesn't get any of that competition. This is more like traditional software sales where consumers get to choose which store they buy their software from, and they can even buy it directly from the developer. Locking down iOS helps Apple maintain their monopoly on software sales for iOS.</p>
<h3 id="gatekeeper">Mountain Lion and Gatekeeper</h3>
<p>Unfortunately, Apple is building more of the restrictions that it pioneered with iOS into Mac OS X for laptops and desktops. Apple started running the <a href="http://gizmodo.com/5885837/this-is-how-apple-will-block-unapproved-apps-with-mountain-lions-gatekeeper">Mac App Store</a> in early 2011 to sell Mac software. Like the iOS App Store, Apple takes a 30% cut of all software sold. The upcoming version of Mac OS X, Mountain Lion, will reportedly include warning messages that <a href="http://gizmodo.com/5885837/this-is-how-apple-will-block-unapproved-apps-with-mountain-lions-gatekeeper">strongly discourage</a> users from installing apps from sources other than the Mac App Store.</p>
<p></p><center><img src="/sites/default/files/images_insert/gatekeeper2.jpg" width="422" height="209" alt="OS X Mountain Lion scares users away from Adium" title="OS X Mountain Lion scares users away from Adium" /><br /><i>OS X Mountain Lion scares users away from Adium</i></center>
<p>Fortunately, it will be possible to turn this off in Mountain Lion and install apps from anywhere you want, but Apple is continuing down the dangerous road of making their products less open. OS X software authors will find themselves subject to the whims of Apple HQ. What would Mozilla do if Apple refused to authorize Firefox for OS X Mountain Lion, in the same way that Apple <a href="http://www.firefoxfacts.com/2008/07/23/no-iphone-firefox-apple-makes-it-too-hard/">refuses to allow a true version of Firefox for the iPhone</a>? Watch half their Mac market share disappear?</p>
<blockquote><p>
<b id="gatekeeper-update">UPDATE: A few people have written to argue that we are being unfair to Apple in the above paragraph, because any "Identified Developer" can sign code so that it is installable on OS X Mountain Lion with the default Gatekeeper settings. We do not think we are being unfair, but a few more details are in order:</b></p>
<ol><li><b>The Mountain Lion "Gatekeeper" code has <a href="http://www.macworld.co.uk/macsoftware/news/?newsid=3338078">three possible settings</a>; the default is that only code from the Mac App Store or Identified Developers is installable;</b></li>
<li><b>We believe that being an "Identified Developer"<a class="see-footnote" id="footnoteref3_50o31o7" title="Many aspects of the Gatekeeper Developer ID program are only documented to parties who agree to an NDA with Apple, which we will not do. However Apple is clear that a Developer ID requires membership in the Mac Developer Program, and also implies that membership of that program requires agreement to the Mac Developer Program License Agreement." href="#footnote3_50o31o7">3</a> requires <a href="https://developer.apple.com/programs/mac/">paying $99/year</a> and agreeing to two contracts with Apple: the <a href="http://developer.apple.com/programs/terms/registered_apple_developer_20100301.pdf">Registered Apple Developer Agreement</a> and the Mac Developer Program License Agreement, which Apple tries to keep secret but which may look like <a href="http://old.nabble.com/attachment/30078918/0/mac_program_agreement_20101020.pdf">this</a>. Free software projects like Adium may or may not be willing or able to restrict themselves in this way.</b>
</li><li><b>Even if projects sign their applications as "Identified Developers", a large fraction of OS X users may <a href="http://www.macworld.co.uk/macsoftware/news/?newsid=3338078">set gatekeeper to "App Store only"</a>, because the UI makes that look like the "safest" option. The App Store itself has <a href="https://en.wikipedia.org/w/index.php?title=Mac_App_Store&amp;oldid=491527513#Regulations">numerous problematic restrictions</a>, including a <a href="https://www.fsf.org/blogs/licensing/more-about-the-app-store-gpl-enforcement">prohibition on GPLed code</a> (which is also a <a href="http://www.internetnews.com/bus-news/article.php/3933591/What+is+the+Top+Open+Source+License.htm">prohibition on most free software</a>). If, say, 10-20% of OS X users pick "App Store only", Gatekeeper will reduce the market share of free software like Adium by a similar percentage.</b>
</li></ol><p>
</p></blockquote>
<p>It's true that you might accidentally install malware if you get software from outside of Apple's App Stores. But while Apple tries to test all submitted apps to see if they're malicious, <a href="http://www.bbc.co.uk/news/technology-15635408">they don't always succeed</a>. The security benefits of using a signed package manager are well established. GNU/Linux distributions have been doing this since the 1990s, and it's one of the primary reasons they're known for good security. But Apple perverts these benefits when your choice to install software from other sources is taken away, and when the only available app store charges developers 30% of their potential profits.</p>
<h3 id="uefi">Microsoft: UEFI and Windows RT</h3>
<p>In many ways, the Windows ecosystem has been more open than iOS's since it began. People have always been able to install whatever software they want in Windows, and whatever operating systems they want on their PCs. It's common for tinkerers to dual-boot their PCs with GNU/Linux and other operating systems, and some users choose to completely remove Windows.</p>
<p>However, this is going to change, at least for Microsoft's mobile and embedded OSes. Microsoft recently announced that in order to be <a href="http://msdn.microsoft.com/en-us/windows/hardware/gg463010">Windows 8 hardware certified</a>, personal computers must implement the "secure boot" option in the <a href="http://www.uefi.org/about/">Unified Extensible Firmware Interface (UEFI) firmware interface specification</a>, which is a modern replacement for the traditional PC BIOS. When "secure mode" is enabled, UEFI will execute only operating system bootloader code that is digitally signed, which could effectively shut out non-Windows 8 operating systems, including earlier versions of Windows. In response to <a href="http://mjg59.dreamwidth.org/5552.html">warnings</a> and <a href="https://www.softwarefreedom.org/news/2011/dec/02/proposed-dmca-exemption/">legal steps</a> from the free software community, Microsoft agreed to require "Windows 8" certified x86 and x86-64 hardware vendors to offer a way to turn off this "secure boot" option that locks out user-modified OSes.</p>
<p>Unfortunately, that's not the end of the story. For Windows computers with ARM processors, which will include Microsoft's new <a href="https://en.wikipedia.org/wiki/Windows_RT">Windows RT</a> tablet devices, the story is completely different. Manufacturers will be <a href="http://arstechnica.com/information-technology/2012/01/windows-8s-locked-bootloaders-much-ado-about-nothing-or-the-end-of-the-world-as-we-know-it/">forbidden to allow booting to any operating system besides Windows</a>. Microsoft is copying Apple's model and <a href="https://www.softwarefreedom.org/blog/2012/jan/12/microsoft-confirms-UEFI-fears-locks-down-ARM/">denying their users</a> the right to chose an alternative OS or modify the one they paid for.</p>
<p>Microsoft is also planning on restricting which applications are allowed to run with high privileges in Windows RT. The only web browser that will be allowed to run with these privileges is Internet Explorer. Harvey Anderson, Mozilla's General Counsel, <a href="https://blog.mozilla.org/blog/2012/05/09/windows-on-arm-users-need-browser-choice-too/">warned about this on Mozilla's blog</a>:</p>
<blockquote><p>Why does this matter to users? Quite simply because Windows on ARM -as currently designed- restricts user choice, reduces competition and chills innovation. By allowing only IE to perform the advanced functions of a modern Web browser, third-party browsers are effectively excluded from the platform.</p></blockquote>
<p>Microsoft, like Apple, is moving toward a dangerous future where users have less freedom to do what they want with their computers, where developers are restricted in what they can accomplish, and where competition and innovation is stifled.</p>
<p><b id="uefi-update">UPDATE: The Free Software Foundation is <a href="https://www.fsf.org/campaigns/secure-boot-vs-restricted-boot/statement">running a campaign</a> about Windows/UEFI restrictions on X86 and ARM devices.</b></p>
<h2>Inadequate Excuses for Restricting Innovation</h2>
<p>When technology and phone companies defend the restrictions that they are imposing on their customers, the most frequent defense they offer is that it's actually <i>in their customers' interest</i> to be deprived of liberty: "If we let people do what they want with their pocket computers, they will do stupid things with them. You will be safer and happier in our walled compound than you would be outside."</p>
<p>This is an elaborate misdirection. It may or may not be true that any particular user gets a better result from the pristine AT&amp;T/Sprint/Apple/Microsoft experience than they do from a modifiable OS. Those companies should feel free to continue offering their own visions of how a pocket computer should function, so long as there is a simple, documented, and reliable way to drill into a settings menu, unlatch the gate of the crystal prison, and leave.</p>
<p><a name="bill-of-rights" id="bill-of-rights"></a></p>
<h2>Toward a bill of rights for mobile computer owners</h2>
<p>There are four rights that people purchasing computers should enjoy:</p>
<ol><li><strong>Installation of arbitrary applications on the device.</strong> If the user wishes to, they should not be limited to what is included in one particular proprietary "app store."</li>
<li><strong>Access to the phone OS at the root/superuser/hypervisor/administrator level.</strong> If consumers wish to examine the low-level code that is running in their pockets, to check for invasions of privacy, run the anti-virus software of their choice, join VPNs, install firewalls, or just tinker with their operating systems, <i>phone and device companies have no legitimate basis for preventing this</i>.</li>
<li><strong>The option to install a different OS altogether.</strong> If people want to install Linux on their iPhones, <a href="https://www.mozilla.org/b2g/">Boot to Gecko</a> on their Windows phones, or just run a <a href="http://www.cyanogenmod.com/">different version of Android</a> on their Android phones, the company that sold them the hardware must not prevent them. Using a cryptographic bootloader to defend against malware is a fine idea, but there must be a way to reconfigure this security mechanism to (1) allow an alternative OS to be installed; and (2) to offer the same cryptographic protections for the alternative OS.</li>
<li><strong>Hardware warranties that are clearly independent of software warranties.</strong> Apple <a href="http://www.cultofmac.com/52463/apples-official-response-to-dmca-jailbreak-exemption-it-voids-your-warranty/">denies warranty coverage</a> to users who have jailbroken their iPhones. While nobody is asking Apple to support jailbroken or modified software, it is inexcusable that the company <a href="https://support.apple.com/kb/ht3743">threatens not to cover</a>, say, a faulty screen, if the customer has chosen to modify the software on their device.</li>
</ol><h2>Why Apple Can Lead the Way Out</h2>
<p>Apple did not invent the culture of imposing restrictions on what kinds of programs people could run on the computers in their pockets. Mobile phone manufacturers and carriers were making life miserable for programmers long before Apple entered the smartphone market, and writing code for phones in those days was described as <a href="/sites/default/files/wu07wireless-carterfone.pdf">"a tarpit of misery, pain, and destruction"</a>. If anything, Apple's innovation was to show that it was possible to have a computing platform that was simultaneously useful, successful, and deeply restrictive of what people were able to do with it.</p>
<p>Nor is Apple necessarily the leading culprit in anti-competitive OS design today. AT&amp;T, which not only encourages Apple's restrictiveness, but also distributes its own modified and heavily restricted versions of the Android operating system, might even be the worse actor.</p>
<p>What Apple has is the institutional wisdom to know better, and the ability to fix the situation. Apple understands the importance of open platforms: their devices <a href="https://en.wikipedia.org/wiki/Darwin_%28operating_system%29">wouldn't exist without them</a>. Apple's incredibly strong brand and stature in the marketplace mean that the company could give people the freedom to tinker with their devices without measurably affecting its own profits or the experience of its "mainstream", non-tinkering users. And while the phone companies like to play at being gatekeepers in the retail phone market, we doubt that they can dictate terms to Apple.</p>
<p>Apple, take Woz's advice. No place, and no system, can be perfect if it denies its citizens the freedom to change it, or the freedom to leave.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_xkplyna"><a class="footnote-label" href="#footnoteref1_xkplyna">1.</a> AT&amp;T used to impose a similar restriction on the Android-based devices that it sold, but <a href="http://www.engadget.com/2011/05/17/atandt-sideloading-officially-a-go-designed-to-allow-amazon-appst/">ended those restrictions</a> last year. Unfortunately, some device makers still are tempted to <a href="http://androidcommunity.com/blackberry-playbook-to-lose-android-side-loading-for-fear-of-piracy-20120409">restrict their customers</a> in similar ways.</li>
<li class="footnote" id="footnote2_sggxrlq"><a class="footnote-label" href="#footnoteref2_sggxrlq">2.</a> iOS offers some options for VPNs, but not OpenVPN. <a href="http://www.guizmovpn.com/">GuizmoOVPN</a> is an open source OpenVPN client for jailbroken iOS devices.</li>
<li class="footnote" id="footnote3_50o31o7"><a class="footnote-label" href="#footnoteref3_50o31o7">3.</a> Many aspects of the Gatekeeper Developer ID program are only documented to parties who agree to an NDA with Apple, which we will not do. However <a href="https://developer.apple.com/resources/developer-id/">Apple is clear</a> that a Developer ID requires membership in the Mac Developer Program, and <a href="https://developer.apple.com/appstore/guidelines.html">also implies</a> that membership of that program requires agreement to the Mac Developer Program License Agreement.</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Apple%27s%20Crystal%20Prison%20and%20the%20Future%20of%20Open%20Platforms&amp;url=https%3A//www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Apple%27s%20Crystal%20Prison%20and%20the%20Future%20of%20Open%20Platforms&amp;u=https%3A//www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Apple%27s%20Crystal%20Prison%20and%20the%20Future%20of%20Open%20Platforms&amp;url=https%3A//www.eff.org/deeplinks/2012/05/apples-crystal-prison-and-future-open-platforms" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 29 May 2012 07:45:02 +0000Micah Lee and Peter Eckersley70788 at https://www.eff.orgCall To ActionTechnical AnalysisInnovationCoders' Rights ProjectMobile devicesAppeals Court Rules That Violating Corporate Policy Is Not a Computer Crimehttps://www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime
<div class="field field-name-field-pr-subhead field-type-text field-label-hidden"><div class="field-items"><div class="field-item even">Ninth Circuit Blocks Dangerous Interpretation of Federal Statute</div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>San Francisco - A federal appeals court today rejected a dangerous interpretation of the federal anti-hacking law, dismissing charges that would have criminalized any employee's use of a company's computers in violation of corporate policy.</p>
<p>The Electronic Frontier Foundation (EFF) filed an amicus brief in this case, U.S. v. Nosal, urging the court to come to this conclusion as part of its ongoing work to ensure fair application of the federal Computer Fraud and Abuse Act (CFAA).</p>
<p>"Basing criminal liability on violations of private computer use policies can transform whole categories of otherwise innocuous behavior into federal crimes simply because a computer is involved," said the opinion by Chief Judge Alex Kozinski of the 9th U.S. Circuit Court of Appeals.</p>
<p>In Nosal, the government prosecuted an ex-employee of an executive recruiting firm on the theory that he induced current company employees to use their legitimate credentials to access a proprietary database and provide him with information in violation of corporate computer-use policy. The government claimed that the violation of policy constituted a violation of the CFAA, a law with criminal penalties.</p>
<p>EFF argued in its amicus brief that turning mere violations of company policies into computer crimes could potentially create a massive expansion of the law – making millions of law-abiding workers criminals for innocent activities like sending a personal e-mail or checking sports scores from a work computer, and leaving them vulnerable to prosecution at the government's whim. The court agreed in an en banc decision, replacing a ruling last year in which a three-judge panel found that disloyal employees who breach computer use policies run afoul of the CFAA.</p>
<p>"We shouldn't have to live at the mercy of our local prosecutor," said the opinion. "Employees who call family members from their work phones will become criminals if they send an email instead. Employees can sneak in the sports section of the New York Times to read at work, but they'd better not visit ESPN.com."</p>
<p>"This is an important victory for all Americans who use computers at work," said EFF Senior Staff Attorney Marcia Hofmann. "Violating a private computer use policy shouldn't be crime, just as violating a website's terms of use shouldn't be a crime. These policies are often vague, arbitrary, confusing and contradictory. Putting people on the hook for criminal liability when they violate these agreements would leave millions of law-abiding computer users vulnerable to federal prosecution."</p>
<p>"EFF has been fighting these aggressive government hacking arguments for years," said EFF Staff Attorney Hanni Fakhoury. "We're happy to see the court recognize that the government overreached here, and it issued a thoughtful decision that protects the rights of users."</p>
<p>Full for the opinion in U.S. v. Nosal:<br /><a href="https://www.eff.org/node/70244">https://www.eff.org/node/70244</a></p>
<p>Contacts:</p>
<p>Marcia Hofmann<br />
Senior Staff Attorney<br />
Electronic Frontier Foundation<br />
marcia@eff.org</p>
<p>Hanni Fakhoury<br />
Staff Attorney<br />
Electronic Frontier Foundation<br />
hanni@eff.org</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Appeals%20Court%20Rules%20That%20Violating%20Corporate%20Policy%20Is%20Not%20a%20Computer%20Crime&amp;url=https%3A//www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Appeals%20Court%20Rules%20That%20Violating%20Corporate%20Policy%20Is%20Not%20a%20Computer%20Crime&amp;u=https%3A//www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Appeals%20Court%20Rules%20That%20Violating%20Corporate%20Policy%20Is%20Not%20a%20Computer%20Crime&amp;url=https%3A//www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Tue, 10 Apr 2012 22:21:07 +0000Rebecca Jeschke70246 at https://www.eff.org EFF to European Parliament: Protect Coders’ Rightshttps://www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>As the European Parliament considers passing a directive that would target hacking, EFF <a href="https://www.eff.org/Directive-Attacks-against-Computer-Systems">has submitted comments</a> urging the legislators not to create legal woes for researchers who expose security flaws.</p>
<p>In the United States, laws such as the Digital Millennium Copyright Act and the Computer Fraud and Abuse Act have created a murky legal landscape for researchers who conduct independent analysis of technology for security threats. Throughout the world, the <a href="http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm">Convention on Cybercrime</a> has caused similar problems. Now, new vague and sweeping computer crime legislation is back on the European Union's agenda threatening <a href="https://www.eff.org/issues/coders">coders' rights</a>: the European Commission’s proposal on a draft <a href="http://ec.europa.eu/home-affairs/policies/crime/1_EN_ACT_part1_v101.pdf">Directive on Attacks Against Information Systems</a> [pdf].</p>
<p>All told, the European Commission needs to make a stronger case for why this directive is needed at all. We believe it is largely duplicative of the Convention on Cybercrime, which itself is riddled with problems. Should the proposed directive move forward, however, we urge the Parliament to improve several aspects.</p>
<p><strong>No criminalization of tools</strong></p>
<p>The main so-called “<a href="http://ec.europa.eu/home-affairs/policies/crime/crime_cybercrime_en.htm">novelty</a>” of the draft directive is the criminalization of the use, production, sale, or distribution of tools to commit attacks against information systems. In our <a href="https://www.eff.org/Directive-Attacks-against-Computer-Systems">submission</a> to the European Parliament, we opposed the wholesale criminalization of these tools: while they can be used for malicious purposes, they are also crucial for research and testing, including for "defensive" security efforts to make systems stronger and to prevent and deter attacks.</p>
<p>We urge the Parliament to focus on the intent behind using the tool, rather than mere possession, use, production, or distribution of such tools <i>per se</i>. The latter approach threatens valuable security testing that makes technology more robust and benefits us all.</p>
<p><strong>Protect coders’ rights to unauthorized access to computers for security testing</strong></p>
<p>We asked the European Parliament to protect researchers who access a computer system without explicit permission when the perpetrator does not have a criminal intent, or <em>mens rea</em>. This protection is needed to safeguard security researchers’ rights to free expression and innovation. Examining computers without the explicit permission of the owner is necessary for a vast amount of useful research, which might never be done if obtaining prior permission was a legal requirement.</p>
<p>The language of the draft Directive resembles language in the <a href="http://www.law.cornell.edu/uscode/text/18/1030"> Computer Fraud and Abuse Act</a> (CFAA), which provides, among other things, that it is illegal to ‘intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer.’</p>
<p>The precise scope of the phrases "without authorization" and "exceeds authorized access" has been hotly disputed in the US courts, with the US government and private companies arguing for a broad interpretation that would go so far as to criminalize violations of private contractual agreements. <a class="see-footnote" id="footnoteref1_qpbbhaa" title="See United States v. Drew, United States v. Lowson, United States v. Nosal, Lee v. PMSI inc., Facebook v. Power Ventures)" href="#footnote1_qpbbhaa">1</a> If adopted by European courts, this approach threatens to put the immense coercive power of criminal law into the hands of those who draft contracts. This means that private parties, rather than lawmakers, would be in a position to determine what conduct is criminal, simply by prohibiting it in an agreement. Criminalizing breaches of website terms of use could turn millions of Internet users into criminals for typical everyday activities.</p>
<p>The US experience can serve as a warning to European legislators that vague ill-defined terms can have deleterious effects on free expression, innovation, and competition, especially with respect to the meaning of "authorized" computer access.</p>
<p><strong>Protect coders' rights to free expression and innovation</strong></p>
<p>Finally, we asked the European Parliament to <a href="https://www.eff.org/issues/coders/vulnerability-reporting-faq#faq5">protect security researchers’ right to free expression</a>. Their ability to freely report security flaws is crucial and highly beneficial for the global online community. Public disclosure of security information enables informed consumer choice and encourages vendors to be truthful about flaws, repair vulnerabilities, and improve upon products.</p>
<p>For example, in early February, two German security researchers <a href="http://www.telegraph.co.uk/technology/news/9058529/Satellite-phone-encryption-cracked.html">reported</a> a vulnerability in two encryption systems that could allow eavesdropping on hundreds of thousands of satellite phone calls. Public disclosure of this kind of research allows consumers to be better informed and aware that their communications are not actually protected, which in turn lets them make thoughtful choices about the technology they use. Hopefully it could even inspire the <a href="http://www.etsi.org/WebSite/AboutETSI/AboutEtsi.aspx">European Telecommunications Standards Institute</a> to formulate a stronger security algorithm that protects users’ privacy.</p>
<p>In our submission, we asked the Parliament to protect the rights of those researchers and <a href="https://www.eff.org/pages/grey-hat-guide">whistleblowers</a>. In the course of fixing a problem, they could inadvertently violate laws—even if they never intend to steal information, invade people’s privacy, or otherwise cause harm. By reporting the vulnerability, researchers could risk exposing themselves to a lawsuit or criminal investigation. On the other hand, potentially serious security flaws will go unaddressed if security researchers are forced to withhold information to protect themselves from possible legal liability.</p>
<p>All told, the European Commission hasn’t demonstrated that this proposed directive is necessary, and we don’t think it is. If this proposal moves forward, though, the European Parliament needs to narrowly define and clarify it. The goal should be to leave breathing room for legitimate security research and testing, allowing security researchers to flourish and do what they do best.</p>
<ul class="footnotes"><li class="footnote" id="footnote1_qpbbhaa"><a class="footnote-label" href="#footnoteref1_qpbbhaa">1.</a> See <a href="https://www.eff.org/cases/united-states-v-drew">United States v. Drew</a>, <a target="_blank" href="https://www.eff.org/cases/u-s-v-lowson">United States v. Lowson</a>, <a target="_blank" href="https://www.eff.org/cases/u-s-v-nosal">United States v. Nosal</a>, <a target="_blank" href="https://www.eff.org/deeplinks/2011/12/2011-review-hacking-law">Lee v. PMSI inc.</a>, <a target="_blank" href="https://www.eff.org/cases/facebook-v-power-ventures">Facebook v. Power Ventures</a>)</li>
</ul></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=%20EFF%20to%20European%20Parliament%3A%20Protect%20Coders%E2%80%99%20Rights&amp;url=https%3A//www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=%20EFF%20to%20European%20Parliament%3A%20Protect%20Coders%E2%80%99%20Rights&amp;u=https%3A//www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=%20EFF%20to%20European%20Parliament%3A%20Protect%20Coders%E2%80%99%20Rights&amp;url=https%3A//www.eff.org/deeplinks/2012/02/eff-european-parliament-protect-coders-rights" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Mon, 27 Feb 2012 03:22:10 +0000Katitza Rodriguez and Marcia Hofmann69777 at https://www.eff.orgNews UpdateFree SpeechInnovationCoders' Rights ProjectInternationalEFF EuropeSecurityCourt Finds Social Network Add-On Violated Spam, Hacking Lawshttps://www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>In a potentially troublesome <a href="https://www.eff.org/files/filenode/facebook_power_order.pdf">decision</a>, a federal district court has found that a start-up violated anti-spam and computer crime laws by creating and marketing a browser to let users view their social networking accounts in one place. The case demonstrates the difficulties facing those who seek to empower users to interact with closed services like Facebook in new and innovative ways.</p>
<p>In <em><a href="http://www.eff.org/cases/facebook-v-power-ventures">Facebook v. Power Ventures</a></em>, Facebook sued a small company that created a tool for users to access and aggregate their personal information across social networking sites. In 2010, the court <a href="https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing">ruled</a> that Power didn't access Facebook "without permission" under <a href="//law.onecle.com/california/penal/502.html%E2%80%9D">California computer crime law</a> when it violated Facebook's terms of use, agreeing with arguments we raised in an <a href="http://www.eff.org/files/filenode/facebook_v_power/FBvPower_June%20Amicus%20Final.pdf">amicus brief</a> (pdf).</p>
<p>Unfortunately, the latest round of the case has taken a downward turn in ways that could have serious implications for other innovators and users.</p>
<p>First, the court gave a tremendous cudgel to Facebook against commercial users who displease it when it decided that Power violated the federal <a href="http://www.law.cornell.edu/uscode/text/15/chapter-103">CAN-SPAM Act</a> by sending "misleading" messages. These messages encouraged users to send Facebook "Event" invitations to their friends to promote Power's service. As EFF pointed out in an <a href="https://www.eff.org/files/filenode/Facebook_PV_Amicus_Brief.pdf">amicus brief</a> (pdf), though, the allegedly "misleading" elements of the message are supplied by Facebook itself—and can't be changed by users. This means that any user who sends a commercial message on Facebook is technically in violation of the law, since it appears to come from Facebook. The CAN-SPAM Act, passed in 2003, simply doesn't contemplate closed systems where the service provider controls many elements of a message. </p>
<p>To make matters worse, the CAN-SPAM Act only allows service providers to bring lawsuits, and it lets them seek crippling damages. Here, Facebook sought over $18 million. This is a clear example of a law vulnerable to misuse because technology has changed since it was written, and it wasn't even written a decade ago. EFF will be watching how Facebook and other services with closed messaging systems use CAN-SPAM in the future.</p>
<p>Second, the court found that Power violated <a href="http://law.onecle.com/california/penal/502.html">state</a> and <a href="http://www.law.cornell.edu/uscode/text/18/1030">federal</a> computer crime laws merely by designing its tool to connect to Facebook using multiple IP addresses, which preemptively thwarted Facebook's efforts to keep users from accessing their Facebook accounts though the Power website. This precedent is especially troubling because these laws have both civil and criminal penalties. EFF is concerned that this precedent could be used in the future to criminalize the creation of tools that are <i>capable</i> of bypassing technological barriers, even if they are never actually used to do so, forcing innovators to anticipate every technical block that any interoperable system or program might possibly impose. This is an unworkable rule.</p>
<p>Facebook's case against Power is dangerous as a matter of policy, threatening to put the power of law—including serious criminal penalties—behind Facebook's anti-competitive decision to thwart consumer choice and innovation that doesn't meet its approval. It doesn't bode well for the future and should encourage all of us to think more seriously about the collateral problems created by closed networks.</p>
</div></div></div><div class="field field-name-field-related-cases field-type-node-reference field-label-above"><div class="field-label">Related Cases:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/cases/facebook-v-power-ventures">Facebook v. Power Ventures</a></div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=Court%20Finds%20Social%20Network%20Add-On%20Violated%20Spam%2C%20Hacking%20Laws&amp;url=https%3A//www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=Court%20Finds%20Social%20Network%20Add-On%20Violated%20Spam%2C%20Hacking%20Laws&amp;u=https%3A//www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=Court%20Finds%20Social%20Network%20Add-On%20Violated%20Spam%2C%20Hacking%20Laws&amp;url=https%3A//www.eff.org/deeplinks/2012/02/court-finds-social-network-add-violated-spam-hacking-laws" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Wed, 22 Feb 2012 19:52:46 +0000Cindy Cohn and Marcia Hofmann69759 at https://www.eff.orgLegal AnalysisInnovationCoders' Rights ProjectTerms Of (Ab)Use2011 in Review: Hacking Lawhttps://www.eff.org/deeplinks/2011/12/2011-review-hacking-law
<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p><em>As the year draws to a close, EFF is looking back at the major trends influencing digital rights on 2011 and discussing where we are in the fight for free expression, innovation, fair use, and privacy.</em></p>
<p>EFF has long been concerned about the <a href="http://www.law.cornell.edu/uscode/18/1030.html">Computer Fraud and Abuse Act</a> (CFAA), a federal law that allows people to be sued civilly and charged criminally with a host of anti-hacking offenses. 2011 has been a landmark year for prosecutions under the statute, with the feds pursuing aggressive, high-profile cases against members of <a href="http://www.justice.gov/usao/can/press/2011/2011_07_19_sixteen.arrested.press.html">Anonymous</a> and <a href="http://www.fbi.gov/losangeles/press-releases/2011/member-of-hacking-group-lulzsec-arrested-for-june-2011-intrusion-of-sony-pictures-computer-systems">LulzSec</a>, as well as open access advocate <a href="http://www.wired.com/threatlevel/2011/07/swartz-arrest/">Aaron Swartz</a>.</p>
<p>Among other things, the CFAA makes it illegal to "intentionally access[] a computer without authorization or exceed[] authorized access, and thereby obtain[] . . . information from any protected computer." Courts have struggled to figure out exactly what this hopelessly vague provision means. Over the past few years, <a href="https://www.eff.org/deeplinks/2009/09/ninth-circuit-holds-disloyal-computer-use-not-crim">private</a> <a href="https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing">companies</a> and <a href="https://www.eff.org/deeplinks/2009/07/judge-overturns-lori">the</a> <a href="https://www.eff.org/deeplinks/2010/10/judge-allows-trial-cfaa-claim-against-wiseguys">government</a> have argued for a broad interpretation that would make it illegal to access computers in violation of private agreements like employment policies or website terms of use—the long, one-sided documents that users often "agree" to without ever having read. This is a bad idea because it would give companies great coercive power to criminalize behavior they don't like, harming the interests of consumers and innovation.</p>
<p>Some companies tried to push the law far beyond its limits again in 2011. In <a href="https://www.eff.org/deeplinks/2011/01/sony-v-hotz-sony-sends-dangerous-message"><i>Sony v. Hotz</i></a>, a case that eventually settled, Sony claimed that users violate the CFAA when they access their own video game consoles in ways Sony doesn't like. And in <a href="http://volokh.com/2011/05/17/employer-sues-former-employee-for-checking-facebook-and-personal-e-mail-and-excessive-internet-usage-at-work/"><i>Lee v. PMSI, Inc.</i></a>, a company struck back against a former employee who filed suit for wrongful termination, unsuccessfully arguing that she violated the CFAA by spending too much time surfing the Internet at work in violation of company policy.</p>
<p href="http://volokh.com/2011/04/28/ninth-circuit-holds-that-violating-any-employer-restriction-on-computer-use-exceeds-authorized-access-making-it-a-federal-crime/">But the long-running debate over the scope of the CFAA took a troubling twist when a three-judge panel of the Ninth Circuit decided in <a href="http://volokh.com/2011/04/28/ninth-circuit-holds-that-violating-any-employer-restriction-on-computer-use-exceeds-authorized-access-making-it-a-federal-crime/"><i>United States v. Nosal</i></a> that employees break the law when they use their work computers for purposes that violate a company's computer use policy—a decision with potentially serious implications for Internet users who violate terms of use. The court recently <a href="http://volokh.com/2011/12/19/thoughts-on-the-oral-arguments-in-united-states-v-nosal/#more-53740">reheard</a> the case en banc and is considering whether to change the result.</p>
<p>As these cases unfolded in the courts, the Obama Administration pushed to <a href="http://www.informationweek.com/news/security/government/231601078">expand the scope of the CFAA and enhance penalties</a>, which is a dangerous move when it's so unclear what the law criminalizes. Thankfully, Senators Grassley, Franken and Lee introduced a <a href="https://www.eff.org/deeplinks/2011/09/senate-committee-agrees-violating-terms-service-shouldnt">proposal</a> to clarify that it's generally not a crime to violate website terms of service or acceptable use policies. Though we think the amendment could be even better, it's a step in the right direction and we hope the Senate passes it in 2012.</p>
</div></div></div><div class="share-links" style="margin-bottom:10px"><br/>Share this: <a href="https://twitter.com/intent/tweet?text=2011%20in%20Review%3A%20Hacking%20Law&amp;url=https%3A//www.eff.org/deeplinks/2011/12/2011-review-hacking-law&amp;related=eff&amp;via=eff" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/twitter48.png" alt="Share on Twitter" /></a> <a href="https://www.facebook.com/share.php?t=2011%20in%20Review%3A%20Hacking%20Law&amp;u=https%3A//www.eff.org/deeplinks/2011/12/2011-review-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/facebook48.png" alt="Share on Facebook" /></a> <a href="https://plus.google.com/share?url=https%3A//www.eff.org/deeplinks/2011/12/2011-review-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/gplus48.png" alt="Share on Google+" /></a> <a href="https://sharetodiaspora.github.com/?title=2011%20in%20Review%3A%20Hacking%20Law&amp;url=https%3A//www.eff.org/deeplinks/2011/12/2011-review-hacking-law" target="_blank"><img src="https://www.eff.org/sites/all/themes/frontier/supporters/images/diaspora48.png" alt="Share on Diaspora" /></a> <a href="https://supporters.eff.org/join" style="background-color:#cc0000; color:#ffffff; text-decoration:none; cursor:pointer; padding:5px 8px; font-family:verdana; font-weight:bold; border-radius:8px; text-shadow: 1px 1px #660000; text-transform:uppercase;">Join EFF</a></div>Sat, 31 Dec 2011 04:37:37 +0000Marcia Hofmann67933 at https://www.eff.orgCommentaryCoders' Rights ProjectTerms Of (Ab)Use